Okta Threat Intelligence has published a detailed analysis of VoidProxy, a previously unreported Phishing-as-a-Service (PhaaS) platform that represents a serious threat to cloud identity security. By leveraging Adversary-in-the-Middle (AitM) techniques, VoidProxy can capture credentials, MFA codes, and session tokens in real-time — effectively bypassing traditional authentication methods and undermining multi-factor authentication (MFA) defenses.
According to Okta, “VoidProxy is a novel and highly evasive service used by attackers to target Microsoft and Google accounts. The service is also capable of redirecting accounts protected by third-party single sign-on (SSO) providers like Okta to second-stage phishing pages.”
This makes VoidProxy particularly dangerous, as it lowers the technical barrier for attackers. As the report notes: “By offering this sophisticated PhaaS, VoidProxy lowers the technical barrier for a wide range of threat actors to execute AitM phishing attacks.”
Compromised accounts obtained via VoidProxy are then exploited for business email compromise (BEC), financial fraud, data exfiltration, and lateral movement within corporate networks.
VoidProxy has remained hidden until now by using a web of anti-analysis and evasion techniques. Okta’s researchers highlight that the service relied on “compromised email accounts, multiple redirects, Cloudflare CAPTCHA challenges, Cloudflare Workers and dynamic DNS services” to avoid detection.
The phishing campaigns observed begin with emails sent from compromised ESP accounts (e.g., Constant Contact, Postmarkapp, NotifyVisitors), which help them bypass spam filters. Links embedded in the lures are further obfuscated using URL shorteners and multiple redirect hops, before finally landing victims on phishing domains registered with disposable TLDs like .icu, .sbs, .xyz, .top, and .home.
To block automated scanners, VoidProxy landing pages are protected by Cloudflare CAPTCHA challenges and load only after passing through a Cloudflare Worker, which filters traffic and dynamically loads the phishing content. Any requests from bots or analysis tools are redirected to a generic “Welcome” page.
Okta’s analysis details the VoidProxy attack chain in four stages:
- Delivery and Lure – Phishing emails with shortened links lead to disposable phishing domains.
- Evasion and Lure Loading – Cloudflare CAPTCHA and Workers ensure only real users load the phishing pages.
- Second-Stage Pages – Victims entering Microsoft or Google credentials are redirected, with federated accounts (e.g., using Okta SSO) being sent to additional spoofed SSO flows.
- AitM Relay & Session Hijacking – VoidProxy’s proxy server captures usernames, passwords, MFA responses, and session cookies. Attackers then use these cookies to gain valid, persistent access to victim accounts.
VoidProxy’s backend infrastructure is hosted using dynamic DNS wildcard services like sslip.io and nip.io, allowing servers to be frequently rotated. The core includes the AitM proxy engine and an attacker admin panel.
Okta researchers found that VoidProxy offers a polished web-based admin console where customers can configure phishing campaigns, manage victims in real-time, and extract stolen data. Features include real-time notifications via Telegram bots or Webhooks, and integration with third-party tools.
While VoidProxy can bypass common MFA protections, Okta confirmed that phishing-resistant authenticators such as Okta FastPass successfully blocked attempts. As the report emphasizes: “In all attacks we observed, users enrolled in phishing-resistant authenticators (in this case, Okta FastPass) were unable to share credentials or sign-in via VoidProxy infrastructure, and were warned that their account was under attack.”
