Multiple attackers using a new phishing service dubbed VoidProxy to target organizations' Microsoft and Google accounts have successfully stolen users' credentials, multi-factor authentication codes, and session tokens in real time, according to security researchers.
Okta Threat Intelligence uncovered the ongoing attacks, and told The Register that several different criminals and cybercrime gangs are using VoidProxy. The company has issued a detailed report on its findings.
"We have observed the targeting of multiple industries across multiple geographies, each of which reflects the priorities of the individual customer" of the phishing-as-a-service operation, the threat hunters said via email, in response to The Register's questions.
The phishes target any Google and Microsoft accounts, from small businesses to large enterprises, we're told. And while Okta didn't have a confirmed victim count, "we have observed high-confidence account takeovers in multiple entities," the threat intel team told us. "By extension, we expect Microsoft and Google will have observed a larger number of ATO events, given that VoidProxy proxies non-federated users directly with Microsoft and Google servers."
“We regularly see new phishing campaigns like this pop up, which is why we design durable protections to keep users safe from these types of attacks, including defenses against domain spoofing, phishing links, and compromised senders,” a Google spokesperson told The Register. “We also agree with the report’s recommendation that users adopt passkeys as a strong protection against phishing.”
Google declined to answer The Register's specific questions, including how many account takeovers it had seen. Microsoft declined to comment.
While Okta observed the attacks as beginning around January, the researchers said that they have linked these phishing campaigns to VoidProxy ads on the dark web from as far back as August 2024.
We have observed high-confidence account takeovers in multiple entities
"The activity is ongoing," the threat intel team said via email. "We are detecting new infrastructure and generating alerts for customers on a daily basis."
Here's how the attacks work. First, the criminals send phishing lures from legitimate, albeit compromised, email accounts from providers including Constant Contact, ActiveCampaign (Postmark app), NotifyVisitors, and others.
These emails have a link to a URL shortening service (like TinyUrl) embedded within the communication, and the malicious link redirects the victim several times before they land on the first-stage phishing site. The phishing websites are hosted on low-cost domains such as .icu, .sbs, .cfd, .xyz, .top, and .home, and placed behind Cloudflare, which hides the real IP address and makes it more difficult for network defenders to take down the host.
After completing a Cloudflare CAPTCHA challenge, thus ensuring the victim is a human and not a bot, the user is sent to the phishing site, which looks exactly like a Google or Microsoft account sign-in page. This service also redirects accounts protected by third-party single sign-on (SSO) providers like Okta.
Attacker-in-the-Middle
The page looks completely legit to the user, who likely then enters their login credentials. But instead of signing on to their actual Microsoft or Google account, this info is sent to the VoidProxy's attacker-in-the-middle (AiTM) proxy server, where the AiTM attack plays out.
"It's here that the sophisticated, multi-layered nature of VoidProxy comes into play," the report says.
AiTM attacks happen when criminals secretly position themselves between two parties - such as a user and a website - to intercept login and banking credentials, or to listen in on communications and manipulate data flowing between them.
In this stage of the attacks, the core proxy server, which is hosted on ephemeral infrastructure, captures and relays sensitive information like usernames, passwords, and MFA responses to legitimate Microsoft, Google, and Okta services. These legit services validate and authenticate the users' information and then issue a session cookie, which is also intercepted by the proxy server.
"A copy of the cookie is exfiltrated and made available to the attacker via their admin panel," the report says. "The attacker is now in possession of a valid session cookie and can access the victim's account."
- Dev snared in crypto phishing net, 18 npm packages compromised
- Drift massive attack traced back to loose Salesloft GitHub account
- What the Plex? Streaming service suffers yet another password spill
- AI-powered penetration tool, an attacker's dream, downloaded 10K times in 2 months
And all of these features are offered for sale to other criminals via VoidProxy's phishing-as-a-service operation.
Customers (aka criminals) receive a full-featured administrative panel that allows them to manage and monitor their phishing campaigns, and a dashboard for each campaign tracks how many credentials and cookies have been stolen on a daily basis. These campaigns and stolen data are also displayed by region with maps of each country showing the victim count.
Okta recommends enrolling in strong authenticators such as Okta FastPass, using FIDO2 WebAuthn (passkeys and security keys), and enforcing phishing-resistance in policy to avoid falling victim to VoidProxy attacks.
The report authors also tell us that they encourage industry partners - like Microsoft and Google - "to continue to support and advocate for industry standards like Interoperability Profile for Secure Identity in the Enterprise (IPSIE).
"A consistent adherence to these standards could, for example, ensure impacted parties can sign a user out of both their device and all their browser apps in real-time whenever a user interacts with known malicious infrastructure," the threat intel team told The Register. ®