Security Researchers Uncover Voidproxy, an Advanced MFA-Bypassing Phishing Platform
Summary:
Okta Threat Intelligence has detailed a newly uncovered Phishing-as-a-Service (PhaaS) platform called VoidProxy, which uses advanced adversary-in-the-middle techniques to target Microsoft, Google, and single sign-on accounts, including those federated through Okta. The service captures credentials, MFA codes, and session tokens in real time, effectively bypassing common MFA protections like SMS codes and authenticator app OTPs. VoidProxy’s phishing campaigns are delivered via compromised accounts from reputable email service providers and obfuscated through URL shorteners, multiple redirects, Cloudflare protections, and disposable domains. Victims are funneled through layered phishing pages and Cloudflare Workers before being proxied to the attacker’s backend infrastructure, where authentication flows are intercepted and session cookies exfiltrated. Despite its sophistication, Okta found that users protected with phishing-resistant authenticators such as Okta FastPass could not be compromised. The service includes a full-featured administrative panel for operators, making it accessible to a wide range of threat actors and enabling large-scale attacks supporting BEC, fraud, and data theft.
Security Officer Comments:
VoidProxy exemplifies the growing professionalism of PhaaS operations, offering scalable, evasive infrastructure that significantly lowers the technical bar for adversaries to conduct effective AitM phishing. Its use of anti-analysis measures, such as Cloudflare challenges, disposable domains, and dynamic DNS, demonstrates an emphasis on resilience and stealth, making detection and takedown far more challenging. The ability to bypass traditional MFA protections highlights ongoing weaknesses in non-phishing-resistant authentication, reinforcing the urgency of adopting FIDO2/WebAuthn-based solutions.
Suggested Corrections:
Organizations should strengthen authentication by enrolling users in phishing-resistant methods such as passkeys, security keys, or smart cards. Access to sensitive applications should be limited to managed, secured devices, while less sensitive apps should at least require registered devices that meet basic hygiene standards. Policies should adapt dynamically, requiring additional assurance or denying access when requests come from unusual networks or deviate from established user behavior. User awareness remains critical, staff should be trained to spot phishing attempts, social engineering tactics, and suspicious activity, with clear reporting channels in place. Automated detection and response processes should be implemented to contain threats in real time.
Link(s):
https://hackread.com/voidproxy-phishing-service-bypasses-mfa-microsoft-google/
Okta Threat Intelligence has detailed a newly uncovered Phishing-as-a-Service (PhaaS) platform called VoidProxy, which uses advanced adversary-in-the-middle techniques to target Microsoft, Google, and single sign-on accounts, including those federated through Okta. The service captures credentials, MFA codes, and session tokens in real time, effectively bypassing common MFA protections like SMS codes and authenticator app OTPs. VoidProxy’s phishing campaigns are delivered via compromised accounts from reputable email service providers and obfuscated through URL shorteners, multiple redirects, Cloudflare protections, and disposable domains. Victims are funneled through layered phishing pages and Cloudflare Workers before being proxied to the attacker’s backend infrastructure, where authentication flows are intercepted and session cookies exfiltrated. Despite its sophistication, Okta found that users protected with phishing-resistant authenticators such as Okta FastPass could not be compromised. The service includes a full-featured administrative panel for operators, making it accessible to a wide range of threat actors and enabling large-scale attacks supporting BEC, fraud, and data theft.
Security Officer Comments:
VoidProxy exemplifies the growing professionalism of PhaaS operations, offering scalable, evasive infrastructure that significantly lowers the technical bar for adversaries to conduct effective AitM phishing. Its use of anti-analysis measures, such as Cloudflare challenges, disposable domains, and dynamic DNS, demonstrates an emphasis on resilience and stealth, making detection and takedown far more challenging. The ability to bypass traditional MFA protections highlights ongoing weaknesses in non-phishing-resistant authentication, reinforcing the urgency of adopting FIDO2/WebAuthn-based solutions.
Suggested Corrections:
Organizations should strengthen authentication by enrolling users in phishing-resistant methods such as passkeys, security keys, or smart cards. Access to sensitive applications should be limited to managed, secured devices, while less sensitive apps should at least require registered devices that meet basic hygiene standards. Policies should adapt dynamically, requiring additional assurance or denying access when requests come from unusual networks or deviate from established user behavior. User awareness remains critical, staff should be trained to spot phishing attempts, social engineering tactics, and suspicious activity, with clear reporting channels in place. Automated detection and response processes should be implemented to contain threats in real time.
Link(s):
https://hackread.com/voidproxy-phishing-service-bypasses-mfa-microsoft-google/