VoidProxy Phishing Platform Threatens Microsoft 365 and Google Workspace Users

Cybersecurity researchers have disclosed VoidProxy, a sophisticated phishing-as-a-service platform that enables attackers to intercept login credentials and session tokens in real time. VoidProxy poses a growing threat to enterprise customers across Microsoft 365, Google Workspace, and federated identity providers.

Okta’s Threat Intelligence team discovered and analyzed the VoidProxy phishing-as-a-service platform. They describe it as scalable, evasive, and highly sophisticated, which makes it especially dangerous because it lowers the barrier for cybercriminals to launch hard-to-detect phishing attacks.

How does the VoidProxy attack work?

The VoidProxy attack begins with phishing emails sent from compromised accounts at legitimate email marketing services. These emails contain shortened links that lead selected victims to fake login pages that mimic Microsoft or Google sign-in portals. Users not targeted for credential theft are instead sent to a generic welcome page to avoid detection.

Once a victim enters their credentials, VoidProxy acts as a reverse proxy that silently relays the login request to the real service while capturing sensitive data (like usernames, passwords, and MFA codes). For federated accounts using single sign-on providers like Okta, the attack redirects users to a second-stage phishing page that imitates the SSO flow, allowing VoidProxy to intercept session cookies.

These stolen session tokens are then accessible to attackers through the platform’s admin panel. The infrastructure supporting this attack is hosted on disposable domains protected by Cloudflare. This adds CAPTCHA challenges and traffic filtering to enhance legitimacy and evade automated security scans.

How to protect your organization against VoidProxy attacks?

To protect organizations from attacks like VoidProxy, organizations should implement phishing-resistant authentication methods (such as FIDO2-based passkeys) can prevent attackers from hijacking sessions even if credentials are stolen. These methods bind authentication to the device and user, which makes it nearly impossible to reuse stolen tokens.

Additionally, organizations should deploy email filtering and link analysis tools to detect and block phishing emails. Moreover, security teams should monitor for unusual login patterns and use behavioral analytics to flag anomalies. It’s also recommended to use network-level protections (like secure web gateways and DNS filtering) to help prevent users from reaching malicious infrastructure.