A sophisticated new phishing-as-a-service (PhaaS) platform, named VoidProxy, is actively targeting Microsoft 365 and Google accounts. This platform, which researchers at Okta Threat Intelligence recently discovered, is described as evasive and highly scalable. The platform’s main tactic is to use an adversary-in-the-middle (AitM) attack to steal login credentials, multi-factor authentication (MFA) codes, and session cookies in real time. This allows attackers to bypass security measures and gain full access to compromised accounts.
The attack begins with an email sent from a compromised account, often from legitimate email service providers like Constant Contact. These emails contain shortened links that redirect victims through multiple pages before landing them on a phishing site. The malicious sites are hosted on low-cost disposable domains and are protected by Cloudflare to hide the true IP address of the attacker. Before gaining access to the fake login page, visitors must first solve a Cloudflare CAPTCHA challenge, which helps filter out bots and makes the attack seem more legitimate.
Once a target is selected, they are presented with a page that perfectly mimics the look and feel of a Microsoft or Google login. The rest of the traffic is funneled to a benign welcome page. When a victim enters their credentials into the fake form, VoidProxy’s AitM proxy immediately relays the request to the real Google or Microsoft servers. For accounts that use federated logins, such as those with Okta for SSO, the victim is redirected to a second phishing page impersonating the Microsoft 365 or Google SSO flow with Okta. The proxy server continuously relays traffic between the victim and the legitimate service, capturing usernames, passwords, and MFA codes as they are entered.
After the victim successfully logs in, the legitimate service issues a session cookie. VoidProxy intercepts this cookie and creates a copy, which is immediately made available to the attackers on the platform’s administrative panel. This stolen session cookie allows the attackers to maintain access to the account without needing to log in again. However, Okta researchers noted a key finding: users with phishing-resistant authentications like Okta FastPass were protected from the attack flow and received alerts that their account was under threat.
To protect against sophisticated attacks like VoidProxy, researchers recommend several proactive measures. These include limiting access to sensitive apps only to managed devices, using risk-based access controls to flag unusual activity, and enforcing IP session binding for administrative applications. Additionally, forcing re-authentication for administrators attempting sensitive actions can help prevent attackers from using stolen session cookies to make changes to an account. By implementing these security practices, organizations can significantly reduce their risk of falling victim to advanced phishing platforms.
Reference:
