void-proxy

VoidProxy: AitM Phishing-as-a-Service Quietly Bypasses MFA at Scale

VoidProxy is reshaping the phishing landscape, enabling adversaries to bypass MFA and hijack enterprise cloud sessions with minimal technical skill. Its rapid adoption, use of trusted email providers, and evasive infrastructure demand urgent, layered defenses—especially for organizations...

Wes

Wes

13 min read
VoidProxy: AitM Phishing-as-a-Service Quietly Bypasses MFA at Scale
OTP accepted. Passkeys walk by.

TL;DR

Key Points

  • Enforce phishing-resistant authentication (FIDO2, Okta FastPass) to block AitM attacks.
  • Integrate VoidProxy IOCs and domain patterns into email/web gateways for early detection.
  • Monitor for session hijacking and anomalous access; automate session revocation.
  • Harden controls on ESP abuse and educate users on multi-stage phishing lures.
  • Prioritize rapid detection and response to BEC and credential theft incidents.

The story in 60 seconds

VoidProxy is a Phishing-as-a-Service platform enabling adversary-in-the-middle (AitM) attacks that bypass MFA and hijack sessions for Microsoft 365, Google Workspace, and SSO environments. It leverages compromised accounts at trusted email service providers, disposable TLDs, dynamic DNS, and Cloudflare Workers to evade detection and takedown. The platform’s admin panel allows even low-skilled actors to launch advanced phishing campaigns, resulting in credential theft, session hijacking, and business email compromise (BEC) across enterprise, finance, healthcare, education, and government sectors.

VoidProxy’s technical sophistication—real-time proxying, session token theft, and anti-analysis—makes legacy MFA (SMS, OTP) ineffective. Its rapid adoption is driving a surge in BEC and persistent account takeovers, especially in organizations slow to adopt phishing-resistant authentication. No nation-state links are confirmed, but eCrime actors are leveraging VoidProxy at scale.

Defenders must act quickly: enforce phishing-resistant authentication, integrate threat intelligence, harden email/web gateways, and train users to recognize evolving lures. Okta’s data shows that organizations using FIDO2/WebAuthn were not compromised by VoidProxy.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Why it matters

SOC

  • Monitor for logins from new locations/devices, especially after phishing alerts.
  • Flag emails from compromised ESPs (Constant Contact, Active Campaign, NotifyVisitors).
  • Alert on access to sensitive apps from unmanaged or rarely used networks.

IR

  • Preserve session tokens, authentication logs, and email headers for suspected AitM events.
  • Triage incidents involving disposable TLDs (.icu, .sbs, .xyz, etc.) and dynamic DNS domains.
  • Investigate BEC and lateral movement following credential compromise.

SecOps

  • Mandate phishing-resistant authenticators; phase out legacy MFA.
  • Restrict sensitive app access to managed devices; enforce IP session binding.
  • Integrate threat intel feeds (VoidProxy IOCs) into security controls.

Strategic

  • Accelerate adoption of phishing-resistant authentication org-wide.
  • Review and update incident response playbooks for AitM and session hijacking.
  • Engage with ESPs and industry partners to improve detection and takedown.

See it in your telemetry

Network

  • Detect outbound connections to disposable TLDs (.icu, .sbs, .xyz, .top, .home) and dynamic DNS (sslip[.]io, nip[.]io).
  • Monitor for multi-stage redirects and URL shorteners in inbound email links.
  • Flag traffic to Cloudflare Workers serving as phishing gatekeepers.

Endpoint

  • Alert on browser session token exfiltration or anomalous cookie access.
  • Monitor for new device registrations or logins from unmanaged endpoints.
  • Detect credential input on suspicious SSO or cloud login pages.

High Impact, Quick Wins

  • Enforce phishing-resistant authentication for all users; measure enrollment and coverage.
  • Integrate VoidProxy IOCs and domain patterns into email/web security; track detection rates.
  • Launch targeted phishing simulations mimicking VoidProxy TTPs; monitor user reporting and click rates.

Research

Historical Context

VoidProxy is a Phishing-as-a-Service (PhaaS) platform first publicly analyzed by Okta Threat Intelligence in September 2025. It represents a significant evolution in the PhaaS ecosystem, enabling a broad range of threat actors to conduct advanced adversary-in-the-middle (AitM) phishing campaigns. The platform is notable for its ability to bypass modern authentication controls, including multi-factor authentication (MFA), and for its rapid adoption in eCrime campaigns targeting enterprise cloud authentication systems, especially Microsoft 365, Google accounts, and federated SSO environments.

Timeline

  • September 2025: Okta Threat Intelligence publishes the first comprehensive technical analysis of VoidProxy, detailing its infrastructure, TTPs, and campaign patterns.
  • September 2025: CSO Online corroborates Okta’s findings and highlights the operational impact of VoidProxy in active phishing campaigns.
  • September 2025: Dark web monitoring firms and industry roundups note increased chatter about VoidProxy in cybercrime forums.

Origin

VoidProxy’s origin is attributed to the cybercriminal underground, with no direct ties to a specific nation-state APT group. Its design and operational model are consistent with eCrime PhaaS offerings, lowering the technical barrier for a wide range of actors. No credible primary source has reported language artifacts or nation-state attribution; all such claims should be considered speculative unless directly cited.

Countries Targeted

  1. United States – Primary target due to the prevalence of Microsoft 365 and Google Workspace in US enterprises.
  2. United Kingdom – High adoption of targeted cloud services and SSO providers.
  3. European Union countries – Similar enterprise cloud adoption and regulatory impact.
  4. Canada – Noted in Okta’s research as a region with significant enterprise targeting.
  5. Australia – Observed in global phishing campaigns leveraging VoidProxy.

Sectors Targeted

  1. Enterprise/Corporate (Microsoft 365, Google Workspace users) – Main focus due to the value of business email compromise and lateral movement.
  2. Financial Services – Targeted for fraud and data exfiltration.
  3. Healthcare – Sought for sensitive data and insurance fraud.
  4. Education – Targeted for credential harvesting and access to research data.
  5. Government – Targeted for access to sensitive communications and data.

Motivation

VoidProxy is financially motivated, designed to facilitate credential theft, session hijacking, BEC, financial fraud, and data exfiltration. Its PhaaS model enables both sophisticated and low-skilled actors to launch advanced phishing campaigns for profit.

Attack Types

  • Adversary-in-the-Middle (AitM) Phishing: Real-time interception of credentials, MFA codes, and session tokens.
  • Session Hijacking: Theft and reuse of valid session cookies for account takeover.
  • Business Email Compromise (BEC): Post-compromise fraud and lateral movement.
  • Credential Harvesting: Targeting enterprise and federated SSO accounts.
  • Infrastructure Evasion: Use of Cloudflare Workers, dynamic DNS, and disposable domains to evade detection and takedown.

Similar Threat Actor Groups

VoidProxy’s operational model and TTPs are similar to other PhaaS platforms such as EvilProxy and Caffeine, which also enable AitM phishing and session hijacking at scale.

Technical Infrastructure and TTPs

  • Delivery: Phishing lures are sent from compromised accounts of legitimate Email Service Providers (ESPs) such as Constant Contact, Active Campaign, and NotifyVisitors, leveraging their reputation to bypass spam filters.
  • Redirection: Embedded phishing links use URL shortening services (e[.]g., TinyURL) and multiple redirects to evade automated analysis.
  • Landing Pages: First-stage phishing pages are hosted on low-cost, disposable TLDs (.icu, .sbs, .cfd, .xyz, .top, .home), placed behind Cloudflare to hide real IP addresses.
  • Cloudflare Workers: Used as gatekeepers and lure loaders, filtering traffic and loading phishing content only for legitimate targets.
  • Dynamic DNS: Core infrastructure is hosted on dynamic DNS wildcard services (sslip[.]io, nip[.]io), resolving hostnames with embedded IP addresses.
  • AitM Proxy Engine: Relays authentication flows, captures credentials, MFA codes, and session tokens, and exfiltrates valid session cookies to attacker admin panels.
  • Admin Panel: Full-featured interface for campaign management, victim monitoring, and data extraction (manual download, Telegram bots, webhook alerts).
  • Anti-Analysis: Automated scanners are redirected to benign welcome pages, and Cloudflare CAPTCHA challenges are used to filter bots.

Recommendations, Actions, Suggested Pivots, Forecasts, Next Steps and References..

(Specially baked, for Paid Subscribers..)

Read more