VoidProxy: The New Phishing Threat Bypassing MFA on Google and Microsoft Accounts
In the ongoing battle for digital security, Multi-Factor Authentication (MFA) has long been praised as a critical defense against account takeovers. However, a sophisticated new phishing kit known as VoidProxy is demonstrating that not all MFA is created equal. This advanced threat is actively targeting Microsoft 365 and Google Workspace accounts, successfully bypassing common forms of authentication to hijack sessions and steal sensitive data.
Understanding this threat is the first step toward building a stronger defense for your personal and professional accounts.
What is the VoidProxy Phishing Attack?
VoidProxy is a powerful phishing framework that operates using an Adversary-in-the-Middle (AiTM) technique. Unlike traditional phishing attacks that simply steal your password, AiTM attacks go a step further. They act as a hidden intermediary between you and the legitimate login page (like Google or Microsoft), capturing not only your credentials but also the session cookie generated after you successfully authenticate with MFA.
This session cookie is the key to the entire operation. It’s a small piece of data that tells the service, “This user is verified,” allowing the attacker to gain access to your account without needing your password or MFA code again. They essentially hijack your logged-in session, granting them full control.
How Attackers Use VoidProxy to Hijack Your Account
The attack unfolds in a series of carefully orchestrated steps designed to deceive even cautious users.
The Phishing Lure: It begins with a deceptive email. This message might appear to be a legitimate notification about a shared document, a security alert, or an invoice, prompting the user to click a link.
The Malicious Redirect: The link directs the user to a server controlled by the attacker. This server hosts the VoidProxy kit, which presents a login page that looks identical to the real Microsoft 365 or Google sign-in portal.
Credential and MFA Capture: The user, believing the page is legitimate, enters their username and password. The VoidProxy server forwards these credentials to the actual service. The real service then requests an MFA code (from an authenticator app, SMS, etc.), and the fake page displays the same prompt to the user.
Hijacking the Session Cookie: When the user enters their MFA code on the fake page, VoidProxy passes it to the legitimate service. The login is successful, and the service sends back a session cookie to authenticate the browser. VoidProxy intercepts and steals this session cookie before passing the user to their real account.
Complete Account Takeover: The attacker now has the session cookie. They can use it to access the victim’s email, cloud storage, contacts, and other connected applications, completely bypassing all MFA protections. The victim, meanwhile, is often logged into their account as expected, unaware a breach has occurred.
The Dangers of a Successful VoidProxy Attack
Once an attacker gains access, the consequences can be severe, particularly in a corporate environment. The primary risks include:
- Business Email Compromise (BEC): Attackers can use the compromised email account to impersonate the victim, sending fraudulent wire transfer requests or tricking colleagues into revealing sensitive information.
- Data Exfiltration: Confidential documents, customer lists, intellectual property, and personal files stored in OneDrive, SharePoint, or Google Drive are all at risk of being stolen.
- Lateral Movement: A compromised account can serve as a beachhead for attackers to move deeper into an organization’s network, targeting other employees or systems.
- Financial Fraud: Attackers can manipulate payroll information, change banking details on invoices, or access financial accounts linked to the compromised email.
How to Protect Your Accounts From VoidProxy and AiTM Attacks
While VoidProxy is a formidable threat, you can take concrete steps to defend against it and other AiTM attacks. Relying on standard MFA alone is no longer sufficient.
1. Implement Phishing-Resistant MFA
The most effective defense is to use authentication methods that are resistant to interception. Unlike codes that can be copied, these methods tie the login process directly to your physical device. Examples include:
- FIDO2 Security Keys: Physical keys like a YubiKey that require a touch or PIN to authenticate.
- Windows Hello for Business: Biometric authentication (face or fingerprint) tied to a specific, trusted device.
- Certificate-Based Authentication: A digital certificate installed on the user’s device provides strong proof of identity.
2. Scrutinize Every Login Request
Always be suspicious of unexpected login prompts. Before entering your credentials, carefully inspect the URL in your browser’s address bar. Attackers may use look-alike domains (e.g., microsft.com or accounts.google.security-check.com) to trick you. If the URL does not match the official domain perfectly, do not proceed.
3. Enhance Security Awareness Training
Educate yourself and your team about the mechanics of AiTM attacks. Ensure everyone understands that even if a login page looks real and the MFA process seems to work, a malicious proxy could be operating in the background. Training should emphasize URL verification and the importance of reporting any suspicious emails.
4. Leverage Advanced Security Policies
For organizations, implementing security tools and policies can provide another layer of defense. Use Conditional Access policies in Microsoft 365 and Google Workspace to restrict logins based on device compliance, location, and IP address. These policies can flag or block suspicious session activity, even if an attacker manages to steal a session cookie.
Source: https://go.theregister.com/feed/www.theregister.com/2025/09/11/voidproxy_phishing_service/
