A new, industrialized phishing service called VoidProxy is being used by multiple criminal groups to intercept Google and Microsoft sign-ins in real time, harvest credentials, MFA responses and — critically — session cookies that let attackers impersonate users without needing passwords or codes, creating a rapid route to account takeover (ATO) across small businesses and large enterprises alike.
What makes VoidProxy notable — according to Okta’s reporting relayed to journalists — is how it combines these elements with targeted campaign tooling and a market-facing business model that attracts multiple distinct criminal groups. Okta’s investigators reported seeing activity as far back as mid-2024 for related kit ads and linked campaigns. The trend this represents is the industrialization of credential theft: sophisticated techniques packaged and rented to many hands. (okta.com)
Okta has repeatedly recommended moving critical users to FIDO2/WebAuthn or Okta FastPass as the most effective mitigation against AiTM/PhaaS attacks; vendors and researchers agree this is the clearest way to break the economics of session-cookie resale. However, adoption challenges remain: rollouts require hardware or platform support, user training, and careful fallback policies for lost devices. (okta.com)
VoidProxy is a timely reminder that cybercriminals continue to adopt the best lessons from enterprise software — subscription economics, resell channels, telemetry dashboards — and weaponize them. The defense response must be equivalent in scale: wide, coordinated, and rapid adoption of phishing-resistant authentication and identity-aware automation that can revoke the value of stolen sessions within seconds.
Source: theregister.com Google, Microsoft account takeover made easy via VoidProxy
Background
Okta Threat Intelligence first raised the alarm to journalists and customers after tracing multiple active campaigns that route victims through an attacker-in-the-middle (AiTM) proxy dubbed VoidProxy, according to reporting based on Okta’s findings. The attacks combine modern phishing-as-a-service (PhaaS) tooling with defensive-evasion techniques — shortened-URL redirect chains, low-cost disposable domains behind Cloudflare, CAPTCHA gating, and a full admin dashboard for customers (criminals) that tracks stolen credentials and session cookies in real time. Okta’s threat hunters told reporters they have observed high-confidence account takeovers in multiple organizations and continue to detect new VoidProxy infrastructure frequently. This activity is consistent with a broader industry shift: AiTM/PhaaS platforms have matured into turnkey, ad-driven marketplaces that lower the bar for account takeover at scale. (okta.com)How VoidProxy works — the anatomy of the attack
1. Credible lures delivered from legitimate-looking senders
Campaigns begin with phishing lures sent from compromised or abused legitimate email services (marketing and notification platforms such as Constant Contact, ActiveCampaign/Postmark, NotifyVisitors and similar). Because those senders are real, and may be listed in recipients’ allow-lists, the emails bypass basic spam filters and appear trustworthy to recipients.2. Multi-stage redirects and human-proof gating
The messages contain a shortened link (TinyURL and the like) that chains through several redirects. The final landing domain is often a cheaply registered TLD such as .icu, .xyz, .top, .cfd or .home. Operators place the site behind Cloudflare and present a CAPTCHA (Cloudflare Turnstile or equivalent) to ensure the visitor is human and to block automated scanners. These steps significantly increase the campaign’s survivability and lower detection rates. This is a common pattern among modern PhaaS operations.3. Adversary-in-the-middle proxy
Once a human completes the CAPTCHA, the victim is forwarded to a page that visually replicates a Google or Microsoft sign-in screen. When the victim enters credentials and completes any required MFA challenge, the phishing proxy silently relays those inputs in real time to the legitimate provider. The provider validates the interaction and issues a session cookie, which the proxy captures and stores. That cookie is then handed to the attacker, enabling immediate authenticated sessions without needing the original credentials or the MFA factor again. The technique — AiTM with session cookie exfiltration — is not new, but it is increasingly commoditized and automated by PhaaS vendors. Microsoft and other defenders have documented how stolen session cookies can be used to bypass MFA and enable follow-on access and Business Email Compromise (BEC). (microsoft.com)4. Industrial telemetry and resale
VoidProxy is offered as phishing-as-a-service: buyers receive an admin panel showing live campaign metrics, stolen usernames, one-time codes and — critically — session cookies. Dashboards include geographic maps, daily counts and real-time alerts so buyers can immediately take over accounts when seeds arrive. Okta’s investigators reported seeing dark-web ads for VoidProxy infrastructure dating back months, which indicates the platform has been marketed to multiple criminal actors. Okta told reporters that several different gangs are actively using the service. The public-facing telemetry and subscription model mirror other PhaaS ecosystems that propelled the last wave of AiTM attacks.Why session-cookie theft is uniquely dangerous
- MFA bypass: An intercepted session cookie is, in effect, a proof of a completed authentication. With a valid cookie, an attacker can access web sessions and APIs without triggering MFA prompts or requiring the user’s credentials.
- Stealth and persistence: Cookie-based access often looks like a normal authenticated session in logs, and unless defenders correlate unusual IPs, device fingerprints, or behavioral signals, the activity may go unnoticed.
- Token longevity: Some session tokens persist across password resets or remain valid until they expire or are explicitly revoked. That permits attackers to maintain access after initial compromise.
- Immediate monetization: Real-time dashboards and Telegram-style notifications in PhaaS kits allow criminals to exploit accounts instantly — exporting mailboxes, pivoting to BEC, or harvesting sensitive documents before any remediation occurs.
The broader PhaaS landscape: where VoidProxy fits
VoidProxy is part of a crowded ecosystem of AiTM and PhaaS kits — think EvilProxy, Evilginx, Tycoon 2FA, Rockstar/ RockStar-like offerings and others — that provide phishing relay capabilities, antibot gating, multi-theme templates and admin dashboards. These kits have been heavily observed in 2024–2025 and have driven massive volumes of phishing attempts; industry reports documented millions of PhaaS-driven attacks earlier in 2025 and high monthly volumes from prominent kits. The typical PhaaS playbook is identical: a turnkey phishing proxy, CAPTCHAs and redirection layers, and a subscription portal allowing non-technical operators to run campaigns. (blog.barracuda.com)What makes VoidProxy notable — according to Okta’s reporting relayed to journalists — is how it combines these elements with targeted campaign tooling and a market-facing business model that attracts multiple distinct criminal groups. Okta’s investigators reported seeing activity as far back as mid-2024 for related kit ads and linked campaigns. The trend this represents is the industrialization of credential theft: sophisticated techniques packaged and rented to many hands. (okta.com)
Verifying the key claims — what’s corroborated and what isn’t
- Claim: VoidProxy captures credentials, MFA codes and session cookies in real time.
- Verification: This behavior matches documented AiTM techniques and multiple vendor write-ups (Microsoft, Okta, and numerous threat reports) that demonstrate session cookie theft is feasible and used by modern kits. Microsoft publicly described cookie-theft AiTM attacks as early as 2022, and Okta has repeatedly warned about AiTM phishing and PhaaS evolution. The technical mechanics are well-established. (microsoft.com)
- Claim: Multiple criminal gangs are using VoidProxy and Okta has observed high-confidence account takeovers across entities.
- Verification: Okta’s threat intelligence capabilities and customer telemetry are credible sources for such assessments; however, public, independently verifiable counts of VoidProxy-specific compromises are not available. Okta’s general warnings about AiTM and industry PhaaS observations are documented, but the exact “VoidProxy” victim tally reported to journalists remains internal to Okta’s investigation and reporting. That means the pattern is verified; the specific victim counts and actor identities disclosed to reporters are not independently verifiable at scale from public telemetry. Treat the specific numbers as Okta’s operational assessment rather than as independently corroborated public metrics. (okta.com)
- Claim: Ads for VoidProxy appeared on dark-web markets as far back as August 2024.
- Verification: PhaaS advertising on underground forums and darknet marketplaces is a documented phenomenon across multiple kits. Okta and other threat researchers have historically traced kit advertisements to earlier months. But specific dark-web ad artifacts tied to the precise “VoidProxy” brand are controlled by the investigators; public replication of those exact ads is limited. This is credible and consistent with normal criminal-market behavior, but the specific August 2024 claim should be treated as reported by Okta rather than fully independently reproducible in open sources. (blog.barracuda.com)
- Claim: Phishing lures originate from compromised legitimate senders like Constant Contact, ActiveCampaign, Postmark and others.
- Verification: Multiple PhaaS campaigns use compromised email-sending services to increase delivery and credibility; security reporting has repeatedly documented that tactic. Similar campaigns have been observed using those exact providers. This claim is well-supported by industry reporting.
What defenders and administrators need to do now
The good news: effective countermeasures exist, and many are straightforward to implement. The key is prioritizing phishing resistance rather than relying solely on traditional MFA mechanisms that AiTM kits can subvert.Immediate steps (operational)
- Enforce phishing-resistant MFA: Require FIDO2/WebAuthn security keys or platform passkeys for administrators and high-risk user groups. Okta and other identity vendors explicitly recommend enrolling users in phishing-resistant authenticators (Okta FastPass, FIDO2/WebAuthn) to mitigate AiTM threats. (sec.okta.com)
- Shorten session lifetimes and enable session revocation automation: Configure shorter maximum and idle session durations and establish automated workflows to revoke sessions on suspicious signals. Okta and Microsoft published guidance on session management and automatic disruption of AiTM attacks. (sec.okta.com)
- Tighten OAuth consent and app registrations: Prevent uncontrolled OAuth app registrations and require admin consent for third-party app permissions. Monitor for suspicious new applications and anomalous consent patterns. PhaaS kits frequently leverage abuse of OAuth consent flows and application registrations.
- Endpoint and telemetry hygiene: Integrate endpoint detection and response (EDR) signals with identity platforms so you can block or challenge sign-ins originating from compromised devices. Use device hygiene as a condition in Conditional Access policies. (sec.okta.com)
- Email hardening and third-party sender controls: Enforce DMARC, SPF and DKIM at organizational domains; work with third-party senders to identify abuse. Monitor for compromised outbound senders and be prepared to block or quarantine suspicious campaigns.
Tactical playbook for SOCs
- Configure high-confidence AiTM detection rules: correlate unusual consent flows, repeated CAPTCHA/Cloudflare-turnstile sequences, and rapid-fire OAuth token issuances with EDR alerts.
- Automate account suspension and session invalidation on confirmed AiTM detections; prepare playbooks for rapid forensic collection and re-issue of credentials and keys.
- Prioritize users who have access to sensitive mailboxes, privileged systems, or high-value corporate accounts for passkey rollouts.
Why passkeys and FIDO2 matter — and what they do not solve alone
Passkeys and FIDO2 hardware or platform authenticators are explicitly designed to be phishing-resistant. Instead of transmitting a reusable credential or a one-time code, FIDO2 uses public-key cryptography and verifies the origin of the site before releasing authentication assertions. In practice, that means a phish page acting as a proxy cannot complete the FIDO exchange successfully unless it exactly matches the origin expected by the authenticator — a condition AiTM proxies struggle to replicate.Okta has repeatedly recommended moving critical users to FIDO2/WebAuthn or Okta FastPass as the most effective mitigation against AiTM/PhaaS attacks; vendors and researchers agree this is the clearest way to break the economics of session-cookie resale. However, adoption challenges remain: rollouts require hardware or platform support, user training, and careful fallback policies for lost devices. (okta.com)
The wider ecosystem reaction — providers and standards
Industry providers have published mitigations and technical controls:- Okta: public recommendations on phishing-resistant authenticators, session management and integrations with EDR to deny risky authentication requests. Okta’s guidance emphasizes moving admins and high-risk groups to FIDO2 and enacting policies that enforce phishing-resistance. (sec.okta.com)
- Microsoft: detection and automatic disruption capabilities in Microsoft 365 Defender and Defender XDR, including automated session revocation when AiTM activity is identified. Microsoft’s published analyses of AiTM campaigns underline cookie-theft as the core risk. (techcommunity.microsoft.com)
- Email and network vendors: recommendations to detect PhaaS patterns (e.g., redirect chains, Cloudflare gating, suspicious user-agents linked to PhaaS toolkits) and to block suspicious outbound sending sources. Industry reporting also highlights how vendors like Barracuda and others observed PhaaS volumes jump during 2025. (blog.barracuda.com)
Attack surface and risk analysis for Windows-focused organizations
For Windows-centric enterprises that rely on Microsoft 365 and Google Workspace, VoidProxy-like campaigns present several practical risks:- Credential and session theft enabling lateral movement: Compromised mailboxes can be used to pivot to partners, suppliers and internal teams, escalating supply-chain and BEC risk.
- Data exfiltration via Graph and Exchange APIs: Once attackers possess valid sessions they can call cloud APIs to enumerate mailboxes, export message stores, and harvest sensitive attachments.
- Trusted-sender abuse: Because phishing lures can originate from compromised marketing platforms and legitimate accounts, recipients are more likely to click links and bypass simple email hygiene checks.
- Small/medium enterprises (SMEs) vulnerability: SMEs often lag in Conditional Access maturity and FIDO2 adoption, making them disproportionately vulnerable to PhaaS campaigns.
What VoidProxy’s existence tells us about the criminal market
VoidProxy demonstrates a few clear market realities:- Commodification of sophisticated attacks: Techniques once requiring advanced skillsets (real-time proxying, session cookie capture, anti-automation gating) are now productized and sold to many actors.
- Ecosystem equivalence to SaaS: Criminals use subscription and dashboard models, marketing on underground forums and offering “support” and ready-made templates. This mirrors legitimate SaaS economics and operational features.
- Rapid innovation and tool reuse: PhaaS kits share components (proxy logic, Cloudflare gating, CAPTCHA integrations), and actors swap and resell capabilities; this accelerates the evolution of effective anti-detection features.
- Profitability of targeted accounts: Even a handful of high-value account takeovers (finance, legal, C-level mailboxes) justifies investment in PhaaS subscriptions for attackers.
Limitations and unresolved questions
- Exact victim counts: Okta and other vendors have detected and alerted customers to incidents, but publicly verifiable totals for VoidProxy-specific takeovers are not available. The “high-confidence account takeover” wording comes from Okta’s threat briefing to reporters; independent public counts are lacking. Treat precise numbers as internal intelligence rather than open-source-confirmed metrics. (okta.com)
- Attribution: Multiple criminal groups are reportedly using VoidProxy, but public attribution to specific ransomware gangs or nation-state proxies remains uncertain. PhaaS models often mask actor identities by supplying infrastructure to many buyers.
- Technical provenance: While AiTM proxy mechanics are well-known and corroborated by Microsoft, Okta and others, the unique technical fingerprint (if any) that differentiates VoidProxy from other kits has not been exhaustively published for independent analysis. That may change if vendors publish IoCs or samples.
Final assessment — strengths, risks and the path forward
VoidProxy is alarming because it packages proven, highly effective AiTM techniques into a marketable product that multiple criminal operators can use. The threat is not a novel attack method; it is the democratization and scaling of an already dangerous technique. That has three immediate implications:- Security teams must pivot from “MFA is enough” to “phishing-resistance is required.” Hardware-backed or platform passkeys and FIDO2/WebAuthn are the most durable mitigations against AiTM proxying.
- Operational controls matter more than ever. Short session lifetimes, automated session invalidation on risk signals, endpoint hygiene, and stricter OAuth consent policies can materially reduce opportunity for attackers.
- Detection must improve to match commerce. IoC-based defenses alone are insufficient. Detection requirements now include behavior analytics, consent-flow monitoring, and telemetry integration between endpoint, network and identity systems.
VoidProxy is a timely reminder that cybercriminals continue to adopt the best lessons from enterprise software — subscription economics, resell channels, telemetry dashboards — and weaponize them. The defense response must be equivalent in scale: wide, coordinated, and rapid adoption of phishing-resistant authentication and identity-aware automation that can revoke the value of stolen sessions within seconds.
Checklist for immediate action (for IT leaders)
- Require FIDO2 or passkeys for all admin and privileged accounts.
- Enforce admin consent for all third-party OAuth apps; monitor unexpected app registrations.
- Reduce session lifetimes and enable automated session invalidation workflows.
- Integrate EDR and identity telemetry to block risky sign-ins.
- Harden external-sender policies (DMARC, DKIM, SPF) and monitor marketing-platform abuse.
- Run phishing simulation focused on redirect-chain and CAPTCHA-gated pages to build user awareness of these specific tactics.
Source: theregister.com Google, Microsoft account takeover made easy via VoidProxy