A new phishing-as-a-service platform named VoidProxy is targeting Microsoft 365 and Google accounts, even when protected by third-party single sign-on providers like Okta. Using adversary-in-the-middle (AitM) techniques, the platform steals credentials, MFA codes, and session cookies in real-time. Attacks begin with emails from compromised accounts at legitimate services, containing shortened links that redirect to phishing sites hosted on inexpensive, disposable domains.
These malicious sites are shielded by Cloudflare, which hides their true IP addresses and presents a CAPTCHA challenge to enhance legitimacy and filter out bots. Potential victims are shown convincing fake login pages for Microsoft or Google, while others are directed to a harmless welcome page. VoidProxy’s proxy server intercepts and relays traffic between the user and the legitimate service, capturing all authentication data.
For accounts using federated SSO like Okta, a second phishing page mimics the SSO flow, further extending the attack chain. The service even intercepts session cookies, providing attackers immediate access via an admin panel. Only users with phishing-resistant authentication methods, such as Okta FastPass, were protected. Recommendations include restricting sensitive app access to managed devices, implementing risk-based controls, and enforcing re-authentication for critical actions.
Read more...