Okta Security has released a new report on VoidProxy, a powerful Phishing-as-a-Service (PhaaS) platform that is being used in real-world attacks. The service targets Microsoft and Google accounts and can even trick users of third-party single sign-on (SSO) providers like Okta.
Okta says VoidProxy is highly evasive and scalable, which makes it a serious threat. It uses Adversary-in-the-Middle (AitM) attacks to steal usernames, passwords, MFA codes, and session cookies in real-time. This allows attackers to bypass common security methods like SMS codes and authenticator apps.
The attacks usually start with phishing emails sent from compromised accounts of email services such as Constant Contact or ActiveCampaign. These emails contain shortened links that redirect users several times before landing on fake login pages.
The phishing pages are hosted on cheap domains like .icu, .xyz, or .top and hidden behind Cloudflare to make them harder to detect. Victims may also face CAPTCHA challenges before being shown fake Microsoft or Google login portals. Once login details are entered, VoidProxy captures the information and session cookies, giving attackers full access to the account.
For accounts connected through Okta SSO, VoidProxy shows a second-stage phishing page to capture even more data. The stolen information is then sent to the attacker’s admin panel, where it can be used for business email compromise, fraud, or data theft.
Okta confirmed that accounts protected with phishing-resistant authentication, like Okta FastPass or hardware security keys, were not affected. These tools blocked the phishing attempts and warned users about the attack.
Okta recommends switching to strong, phishing-resistant authenticators, restricting sensitive apps to managed devices, and training users to recognize phishing emails. They also suggest organizations should set up risk-based policies and respond quickly to suspicious login attempts.
