A new industrialized phishing service named VoidProxy is arming cybercriminals with the ability to hijack Google and Microsoft accounts in real time, exfiltrating session cookies that bypass multi‑factor authentication entirely. The PhaaS platform, unmasked by Okta Threat Intelligence, packages advanced adversary‑in‑the‑middle (AiTM) techniques into a turnkey subscription—complete with a live dashboard tracking stolen credentials, MFA responses, and session tokens.

Multiple distinct criminal groups are already using VoidProxy to target organizations across industries and geographies, from small businesses to large enterprises. Okta’s threat hunters have observed “high‑confidence account takeovers in multiple entities,” and new infrastructure is being detected daily. The attacks, active since at least January 2025, trace their dark‑web advertising roots back to August 2024, underscoring the rapid commodification of once‑sophisticated attack methods.

How a VoidProxy Attack Unfolds

Campaigns begin with phishing lures dispatched from compromised but legitimate‑looking email services. Providers like Constant Contact, ActiveCampaign, Postmark, and NotifyVisitors are abused to send messages that sail past spam filters because the sending infrastructure itself is real. The emails contain a shortened URL (via TinyURL or similar) that initiates a multi‑stage redirect chain.

The victim eventually lands on a low‑cost domain—often a .icu, .xyz, .top, .cfd, or .home TLD—fronted by Cloudflare. A Cloudflare Turnstile or equivalent CAPTCHA gates the page, ensuring only a human proceeds and blocking automated scanners. Once completed, the user is served a pixel‑perfect replica of a Microsoft, Google, or Okta sign‑in screen.

The core of the attack is the adversary‑in‑the‑middle proxy. When the victim enters credentials and completes any MFA challenge, the VoidProxy server silently relays those inputs to the legitimate identity provider. The provider validates the authentication and issues a session cookie—which the proxy captures before it reaches the user’s browser. That cookie is immediately exfiltrated and stored, giving the attacker a fully authenticated session that requires neither the original password nor a new MFA prompt. The victim may see a generic error or a loading screen, unaware their account has been compromised.

Stealing session cookies is a known technique, but VoidProxy industrializes it. A valid cookie is essentially a bearer token for an already‑completed login. With it, an attacker can:
- Bypass MFA completely: No re‑authentication prompt appears when using the stolen cookie.
- Operate with stealth: The activity looks like a legitimate user session in standard logs.
- Maintain persistence: Some cookies survive password resets and remain valid until expiration or explicit revocation.
- Monetize instantly: VoidProxy’s admin panel pushes real‑time Telegram‑style alerts so criminals can act within seconds—exporting mailboxes, pivoting to business email compromise (BEC), or harvesting sensitive documents.

Microsoft’s own incident analyses have documented AiTM campaigns that abused stolen session cookies to conduct follow‑on fraud at scale. VoidProxy simply makes this attack vector available to anyone willing to pay.

Inside the PhaaS Business Model

VoidProxy is sold as phishing‑as‑a‑service. Buyers receive a full‑featured administrative panel that tracks campaign metrics, lists stolen credentials, and displays real‑time maps of victims by geography. Daily counters show how many credentials and session cookies have been harvested. This SaaS‑like model mirrors legitimate cloud services and dramatically lowers the barrier for non‑technical criminals.

Okta discovered dark‑web advertisements for VoidProxy dating back to August 2024, indicating the platform has been marketed to multiple buyers for months. The threat intelligence team told reporters that several distinct criminal gangs are actively using the service, though attributing activity to specific named groups remains difficult given PhaaS operational security.

Where VoidProxy Fits in the PhaaS Ecosystem

VoidProxy is not an isolated outlier. It joins a crowded field of AiTM kits—EvilProxy, Evilginx, Tycoon 2FA, Rockstar, and others—that offer similar capabilities: phishing relay proxies, CAPTCHA gating, multi‑theme templates, and admin dashboards. Industry telemetry shows millions of PhaaS‑driven attacks in 2025 alone, with some platforms responsible for an outsized share.

What distinguishes VoidProxy, according to Okta’s reporting, is its combination of targeted campaign tooling, abuse of legitimate sending services, and a market‑facing model that appeals to multiple distinct criminal groups. It represents the ongoing industrialization of credential theft: sophisticated attacks once requiring expert coding are now a subscription away.

Corroborated Claims and Lingering Unknowns

What Is Well‑Established

  • Mechanics: AiTM session cookie theft is documented by Microsoft as early as 2022 and repeatedly warned about by Okta. VoidProxy’s technical flow matches known patterns.
  • Delivery abuses: Multiple PhaaS campaigns have exploited Constant Contact, ActiveCampaign, and similar senders. This tactic is widely corroborated in incident reports.
  • Dark‑web ads: PhaaS platforms are routinely marketed on underground forums; Okta’s tracing of VoidProxy advertisements is consistent with industry norms.

What Remains Okta’s Internal Assessment

  • Specific victim counts: While Okta asserts “high‑confidence account takeovers in multiple entities,” exact numbers are derived from private telemetry and not independently verifiable via public data.
  • Precise VoidProxy fingerprint: Detailed indicators of compromise (IoCs) or technical differentiators have not been published, limiting independent replication.
  • Attribution: The identity of the purchasing groups—whether ransomware affiliates, nation‑state proxies, or opportunistic actors—is uncertain.

In short, VoidProxy’s threat is real and its operational model is credible, but some operational specifics rely on Okta’s confidential investigation.

Defensive Measures That Neutralize VoidProxy

Organizations can blunt these attacks with proven controls. The core principle: move from “MFA is enough” to “phishing‑resistant authentication is required.”

Immediate Priorities

  1. Deploy phishing‑resistant MFA: Enforce FIDO2/WebAuthn security keys or platform passkeys for all administrators and high‑risk users. FIDO2 uses origin‑bound public‑key cryptography, so a proxy page cannot succeed even if it looks identical.
  2. Shorten session lifetimes: Configure maximum session durations (e.g., 8–12 hours) and idle timeouts. Enable automated revocation workflows triggered by risk signals.
  3. Restrict OAuth and app consent: Require admin approval for third‑party application permissions and monitor for anomalous consent grants.
  4. Integrate endpoint signals: Tie EDR device health into Conditional Access. Block or challenge sign‑ins from devices flagged as compromised.
  5. Harden email defenses: Enforce DMARC, SPF, and DKIM at organizational domains. Work with third‑party senders to identify abuse and be ready to block suspicious campaigns.

SOC Playbook Enhancements

  • Build detection rules for unusual consent flows, repeated CAPTCHA sequences, and rapid‑fire OAuth token issuance.
  • Automate account suspension and session invalidation upon confirmed AiTM detection.
  • Prioritize users with access to sensitive mailboxes, privileged systems, or financial data for passkey rollouts first.

Why Passkeys Matter

Passkeys and FIDO2 authenticators are purpose‑built to defeat AiTM. Instead of transmitting a reusable secret, they verify the true origin of the requesting site before releasing an assertion. A VoidProxy‑style proxy cannot satisfy the origin check, rendering the stolen credentials useless. Okta and Microsoft both recommend passkeys as the most durable mitigation—though adoption requires planning for hardware provisioning, fallback mechanisms, and user training.

Specific Risks for Windows‑Centric Organizations

For enterprises heavy on Microsoft 365 and Google Workspace, VoidProxy attacks carry sharp operational consequences:
- Lateral movement and BEC: Compromised accounts let attackers pivot to partners and internal teams, amplifying supply‑chain fraud.
- Cloud API abuse: Stolen sessions enable silent data exfiltration via Microsoft Graph or Gmail APIs.
- Trusted‑sender tricks: Lures from legitimate marketing platforms bypass many email filters, so even savvy users may click.
- SME vulnerability: Smaller organizations often lag in Conditional Access maturity and passkey adoption, making them disproportionate targets.

Enforcing device‑based Conditional Access, shortening session windows, and rolling out passkeys to privileged accounts can rapidly reduce exposure.

The Criminal Market Reality

VoidProxy exemplifies a dangerous convergence:
- Commodification: Advanced AiTM proxying, anti‑automation gating, and real‑time data dashboards are now products, not projects.
- SaaS economics: Underground forums mirror legitimate subscription models, with vendors offering support, templates, and updates.
- Ecosystem reuse: Components are shared across kits, accelerating the spread of evasion features.
- Profit calculus: A single high‑value account takeover can justify an attacker’s entire PhaaS subscription cost.

The trend is clear: the barrier to entry for sophisticated identity attacks has collapsed. VoidProxy is a symptom of a market that treats stolen sessions as a low‑cost, high‑return commodity.

Conclusion: Act Now, or Pay Later

VoidProxy demonstrates that an attack once requiring elite skill is now available to any motivated buyer. The counter is not a single silver bullet but a layered shift toward phishing‑resistant identity architectures. Immediate high‑impact actions include:
- Enforce FIDO2/passkeys for all admin and privileged users.
- Implement admin‑only OAuth consent policies.
- Integrate EDR telemetry with identity platforms for automatic session disruption.
- Reduce session lifetimes and automate revocation.

Industry collaboration is also critical. Okta urges continued support for standards like IPSIE (Interoperability Profile for Secure Identity in the Enterprise) to enable cross‑service session invalidation. VoidProxy is a wake‑up call that phishing defense must evolve from reactive detection to proactive, protocol‑level prevention. The tools exist; the remaining variable is organizational will.