{"id":14788,"date":"2025-09-12T20:16:18","date_gmt":"2025-09-12T20:16:18","guid":{"rendered":"https:\/\/newestek.com\/?p=14788"},"modified":"2025-09-12T20:16:18","modified_gmt":"2025-09-12T20:16:18","slug":"voidproxy-phishing-as-a-service-operation-steals-microsoft-google-login-credentials","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14788","title":{"rendered":"VoidProxy phishing-as-a-service operation steals Microsoft, Google login credentials"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Identity and access management provider Okta has discovered what it says is a novel phishing-as-a-service (PhaaS) operation that, if victims fall for an infected email, may get around the user account protections from third-party single sign-on providers to steal Microsoft and Google login credentials.<\/p>\n

However, that\u2019s a big \u201cif\u201d.<\/p>\n

Effective security awareness training that alerts users to beware of suspicious emails will help blunt the efforts of threat actors who subscribe to the service. Experts also told us phishing-resistant authentication is vital to swat aside phishing attacks aimed at stealing credentials.<\/p>\n

However, the discovery is of significance to CSOs who use third party single-sign on providers like Okta, OneLogin, AuthO, Microsoft Azure AD, and Google for login protection.<\/p>\n

The criminal phishing service, called VoidProxy, \u201crepresents a mature, scalable, and evasive threat to traditional email security and authentication controls,\u201d Okta said in a report Thursday<\/a>.\u00a0<\/p>\n

\u201cThe service uses Adversary-in-the-Middle<\/a> (AitM) techniques to intercept authentication flows in real time, capturing credentials, MFA codes and any session tokens established during the sign-in event. This capability can bypass the protection of several common multi-factor authentication (MFA) methods, such as SMS codes and one-time passwords (OTP) from authenticator apps,\u201d the researchers wrote.<\/p>\n

\u201cBy offering this sophisticated PhaaS<\/a>, VoidProxy lowers the technical barrier for a wide range of threat actors to execute AitM phishing attacks. Accounts compromised using PhaaS platforms facilitate numerous malicious activities such as business email compromise (BEC), financial fraud, data exfiltration and lateral movement within victim networks.\u201d<\/p>\n

Service has anti-analysis features<\/h2>\n

The VoidProxy platform has been able to evade analysis until this point by using multiple layers of anti-analysis features, including compromised email accounts, multiple redirects, Cloudflare Captcha challenges, Cloudflare Workers and dynamic DNS services, Okta said.\u00a0<\/p>\n

An attack works like this: Phishing lures are sent from compromised accounts of legitimate email service providers (ESPs) such as Constant Contact, Active Campaign (Postmarkapp), NotifyVisitors, and others. The hope is that these message sources will fool spam filters.<\/p>\n

If a victim falls for the message, they click on a link that makes use of URL shortening services (such as TinyURL), which would each be redirected a number of times before the user ends up at a first-stage landing site. The goal in the redirects is to evade automated analysis<\/a>.<\/p>\n

Before any first-stage landing sites load, the user is presented with a Cloudflare Captcha challenge to determine if the request is from an interactive user or a bot.<\/p>\n

The first-stage phishing pages are hosted on domains registered with a variety of low-cost, low-reputation TLDs, such as .icu, .sbs, .cfd, .xyz, .top, and .home. The report says this minimizes operational costs to VoidProxy and allows the attackers to treat the domains as disposable assets, quickly abandoning them once they are identified and blocklisted. The phishing sites are placed behind Cloudflare, effectively hiding the real IP address of the phishing site\u2019s server and making it much harder for security teams to trace and take down the malicious host.<\/p>\n

The victim user\u2019s browser then communicates with a Cloudflare Worker (*.workers.dev). Okta believes that this worker likely acts as a gatekeeper and lure loader to filter incoming traffic and to load the appropriate phishing page for any given target.<\/p>\n

Once the Captcha challenge is passed, the user sees a perfect replica of a legitimate Microsoft or Google login portal.\u00a0<\/p>\n

Any attempt to access the site using automated scanners or other security tools redirects the user to a generic \u201cWelcome\u201d page with no further functionality.<\/p>\n

Credentials go to adversary-in-the-middle server<\/h2>\n

If a victim is unwise enough to enter their primary Microsoft or Google credentials on the phishing page, the data is sent to VoidProxy\u2019s core AitM proxy server. It\u2019s here that the sophisticated, multi-layered nature of VoidProxy comes into play, says Okta.<\/p>\n

Federated users are redirected to additional second-stage landing pages after providing primary\u00a0credentials for their Microsoft or Google account. Non-federated users are redirected to Microsoft and Google servers directly via the proxy infrastructure.<\/p>\n

A core proxy server hosted on ephemeral infrastructure executes an AitM attack.\u00a0This server acts as a reverse proxy to capture and relay information, including usernames, passwords, and MFA responses, to legitimate services like Microsoft, Google, and Okta. When the legitimate service validates the authentication and issues a session cookie, the VoidProxy proxy server intercepts it. A copy of the cookie is exfiltrated and made available to the attacker via their admin panel. The attacker is now in possession of a valid session cookie and can access the victim\u2019s account.<\/p>\n

Shows the risks of SMS and OTP<\/h2>\n

\u201cThe report highlights the risks of old multi-factor authentication types like SMS and one-time password (OTP) codes combined with the theft of session tokens,\u201d commented David Shipley<\/a> of Canadian security awareness training provider Beauceron Security. \u201cThe trick here is ensuring organizational users have fallbacks when more sophisticated approaches like app-based 2FA are unavailable.\u201d<\/p>\n

The other trick, he added, is to make the transition to MFA easier and more convenient. \u201cEveryone needs to take a hard look at session token lifespans \/ re-authentication and revisit notions that it wasn\u2019t needed if people were on premises,\u201d he said.<\/p>\n

\u201cThe report highlights an interesting role that Cloudflare has been caught in, with criminals using it to hide from security tools,\u201d he noted. \u201cIf this trend continues, we may see more pressure on these kinds of providers for the kinds of know-your-customer (KYC) rules we see in the financial services industry.\u201d<\/p>\n

Would security awareness training blunt this attack from the beginning? Johannes Ullrich<\/a>, deal of research at the SANS Institute was doubtful. \u201cSecurity awareness training has repeatedly been proven to be ineffective,\u201d he said.<\/p>\n

Shipley was more optimistic. \u201cAn effective security awareness program can reduce the top of the risk funnel, but can\u2019t eliminate it. Our research shows that immediately after training, the chance someone will click on a phish is still 3.5%. After 90 days, the probability is 15%, after 360, it\u2019s a whopping 95%. So [only] annual awareness training isn\u2019t going to cut it.\u201d<\/p>\n

Both agreed on the importance of also having phishing-resistant defenses.<\/p>\n

\u201cPhishing resistance should be a baseline requirement for authentication,\u201d said Ullrich.<\/p>\n

\u201cThere are two things that CSOs must know about modern phishing attacks and defenses,\u201d he added. \u201cFirst of all, authentication methods must be phishing safe. Any method that allows the user to select credentials to enter for a particular site is not phishing-safe. Methods like Passkeys, that automatically match credentials to websites, are phishing safe and should be implemented. Password managers selecting credentials provide some protection, but users are usually able to override that safeguard.<\/p>\n

\u201cSecond, there is no safe authentication for an actual \u2018machine in the middle\u2019 attack, or \u2018machine in the browser\u2019 attacks like browser plugins. In this case, attackers are able to obtain post-authentication session credentials, and the actual authentication method is irrelevant.\u201d<\/p>\n

Google has been proposing Device Bound Session Credentials<\/a>, Ullrich noted, but they have not been widely adopted yet. DBSC adds a layer of hardware-backed security (such as a motherboard\u2019s Trusted Platform Module) to ensure sessions are bound to specific devices. Sessions use short-lived cookies. When one of these cookies expires, the browser proves possession of a private key before refreshing them. This process links session continuity to the original device.<\/p>\n

Shipley also said it\u2019s time to retire what he called \u201cthe misleading term \u2018phishing resistant.\u2019 It\u2019s not. Lazy criminals doing bare bones phishing may be deterred, but advanced platforms like this and others include live capture of MFA codes with operators standing by in real time (and with AI agents coming onto the scene, even faster ways to be in the process).\u201d\u00a0<\/p>\n

\u201cVendors over-promised on phishing resistant authentication and owe folks an apology,\u201d he added. \u201cMore accurate branding would be \u2018Lazy phishing resistant\u2019 but that doesn\u2019t sound as good for marketing.\u201d<\/p>\n

Recommendations<\/h2>\n

In its report, Okta recommends CSOs:<\/p>\n