VoidProxy phishing service can hijack Microsoft 365 and Google sessions—even with MFA

By /

Most headlines frame VoidProxy as “another phishing kit,” but that undersells the systemic risk: this is a commercialized intermediary identity layer that wedges itself between users and cloud providers to harvest tokens at scale, bypassing everyday MFA and blending into the delivery plumbing of legitimate platforms. Think of it as a parasitic identity broker—sitting invisibly between the browser and Microsoft or Google—capturing the exact session cookies that confer trust, while using modern CDN, DNS, and marketing tooling to stay a step ahead of scanners and takedowns.

VoidProxy phishing service targets Microsoft 365, Google accounts

What is VoidProxy?

VoidProxy is a stealthy phishing-as-a-service platform using adversary-in-the-middle tactics to intercept credentials, MFA codes, and session cookies for Microsoft 365 and Google accounts in real time, enabling account takeover even when MFA is enabled. It has been observed in active campaigns during 2025, with multiple organizations affected across industries and geographies.

How VoidProxy works across systems

Delivery and pretext

  • Campaigns originate from compromised accounts on reputable email service providers (e.g., marketing platforms), leveraging sender reputation to bypass spam defenses.
  • Messages commonly use shortened links that redirect through multiple hops into the attack chain to obfuscate final destinations.

Hosting and cover

  • Phishing sites are deployed on disposable, low-cost TLDs such as .icu, .sbs, .cfd, .xyz, .top, and .home.
  • Cloud CDN fronting masks origin IPs and adds anti-bot gating (for example, CAPTCHAs and edge worker logic), improving both evasion and perceived credibility.

Flow control and intermediation

  • Non-federated users are proxied directly to Microsoft or Google through a reverse-proxy flow that faithfully relays the real login sequence.
  • Federated users (for example, SSO via an identity provider) encounter second-stage pages that mimic enterprise sign-in before being routed to the legitimate IdP—while VoidProxy captures credentials, MFA entries, and the final session cookie.
See also  Don’t Call It a TT: Why Concept C Is a New Lineage, Not a Nostalgia Play

Token capture and monetization

  • Validated session cookies are exfiltrated to an operator dashboard, enabling immediate account takeover while bypassing subsequent MFA prompts.
  • Operators then execute business email compromise, data exfiltration, OAuth abuse, and lateral movement with the victim’s legitimate session context.

Why traditional controls buckle

Reputation piggybacking

  • Bypassing content and domain heuristics is easier when sending from compromised reputable senders, which undermines reputation-based filtering.

CDN shielding and dynamic DNS

  • CDN fronting, multi-redirect choreography, and anti-analysis mechanisms reduce automated detections and complicate rapid takedowns.

MFA limitations

  • Live intermediation captures OTPs and SMS codes during the session and, most critically, steals the validated session cookie—rendering basic MFA ineffective after first use.

Federation isn’t the weakness—intermediation is

It’s tempting to blame SSO, but VoidProxy succeeds by faithfully relaying real login journeys rather than breaking federation protocols. When the target uses an IdP, VoidProxy simply acts as a transparent middleman, presenting indistinguishable prompts and harvesting the ultimate trust artifact: the session cookie. Phishing-resistant authenticators and device-bound flows meaningfully disrupt this class of adversary-in-the-middle attack.

The VoidProxy business model and ecosystem

Professionalized crimeware

  • Features such as operator panels, layered anti-analysis, and flexible routing indicate a mature PhaaS offering that lowers the barrier for many actors.
  • Multiple groups can lease the service, diversify targets, and iterate infrastructure, which increases campaign resilience and scalability.

Evolution from prior AitM kits

  • VoidProxy builds on trends established by earlier services (for example, EvilProxy and Sneaky 2FA), emphasizing turnkey reverse-proxy flows and continuous tuning to outpace detection.
  • Expect continued commoditization: pricing tiers, plug-in modules for post-login automations, and broader IdP support.
See also  Apple Watch gets FDA nod for hypertension alerts: What it means for your heart

Second-order effects after compromise

Immediate impact

  • Real-time account takeover enables business email compromise, invoice and payroll fraud, OAuth abuse, internal phishing, and sensitive data theft.
  • Because the session is “legitimate,” anomaly detections reliant on user agents or geolocation may lag unless sessions are strongly bound to device, network, or risk context.

Containment dynamics

  • The ability to invalidate stolen tokens quickly and force step-up reauthentication will determine the blast radius.
  • Policies tailored to privilege escalation actions and administrative scopes can curtail post-compromise maneuvering.

Defender playbook: where to disrupt the chain

Harden authentication

  • Enforce phishing-resistant authenticators (for example, FIDO2/WebAuthn with device binding) for high-value accounts and administrative roles.
  • Prefer authenticator flows that prevent participation in AitM sequences and surface warnings when a proxy is detected.

Constrain where trust can travel

  • Bind session cookies to device and IP where feasible for administrative or sensitive applications.
  • Require managed devices for critical services and apply risk-based policies that deny cookie portability and trigger reauth on sensitive actions.

Kill stolen tokens quickly

  • Shorten session lifetimes for privileged roles, enforce reauthentication on privilege elevation, and monitor session anomalies tied to device posture and network context.
  • Automate token revocation when risk signals spike or when unusual consent/grant behavior is detected.

Break the delivery loop

  • Monitor partner and vendor ecosystems for compromised marketing automation accounts and sudden use of link shorteners.
  • Flag multi-redirect chains and landing patterns consistent with CDN CAPTCHA gates that commonly precede AitM flows.

Accelerate takedown and detection

  • Track and block low-cost TLD clusters and dynamic DNS patterns associated with current campaigns.
  • Feed indicators of compromise into email and web gateways, and build detections for second-stage domain schemas and path structures.
See also  AI “Created” 16 Bacteria-Killing Viruses—Breakthrough or Hype?

Why this matters now

VoidProxy’s operational maturity and early scale show that AitM is no longer niche—it’s productized and accessible. Organizations that treat session tokens like currency—binding, rotating, and invalidating them with the same discipline applied to credentials—will blunt the advantage of token theft and shrink attacker dwell time.

What to watch next

  • Deeper CDN worker logic and adaptive traffic shaping to hinder crawlers and dynamic analysis.
  • Expanded support for enterprise IdPs, conditional access testing, and post-login automations (for example, mailbox rules, OAuth prompts, and data exfil templates).
  • More use of compromised SaaS for pretexts and assets that appear benign to scanners.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top