A newly discovered phishing-as-a-service (PhaaS) platform, named VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers such as Okta.
The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real time.
VoidProxy was discovered by Okta Threat Intelligence researchers, who describe it as scalable, evasive, and sophisticated.
The attack begins with emails from a compromised accounts at email service providers, like Constant Contact, Active Campaign, and NotifyVisitors, whicch include shortened links that send recipients to phishing sites after a multiple redirections.
The malicious sites are hosted on disposable low-cost domains on .icu, .sbs, .cfd, .xyz, .top, and .home, which are protected by Cloudflare to hide their real IPs.
Visitors are first served a Cloudflare CAPTCHA challenge to filter out bots and increase the sense of legitimacy, while a Cloudflare Worker environment is used to filter traffic and load pages.
The Cloudflare CAPTCHA step on the malicious site
Source: Okta
Selected targets revceive a page that mimics a Microsoft or Google login, while the rest are funneled to a generic and “Welcome” page that presents no threat.
If credentials are typed into the phishing form, requests are proxied through VoidProxy’s adversary-in-the-middle (AitM) to Google or Microsoft servers.
... continue reading