Beware of VoidProxy: The New Phishing Threat That Bypasses MFA on Microsoft 365 and Google Accounts
Multi-Factor Authentication (MFA) has long been the gold standard for securing online accounts. However, cybercriminals are constantly evolving their tactics, and a new threat known as VoidProxy has emerged, specifically designed to neutralize this critical security layer. This sophisticated Phishing-as-a-Service (PhaaS) platform is enabling even low-skilled attackers to compromise high-value corporate and personal accounts, including those on Microsoft 365 and Google Workspace.
Understanding this threat is the first step toward building a stronger defense for yourself and your organization.
What is VoidProxy and Why is it So Dangerous?
VoidProxy is not just another phishing kit; it operates using an Adversary-in-the-Middle (AiTM) technique. Instead of simply creating a fake login page to steal a password, an AiTM attack positions itself between you and the legitimate service (like Microsoft or Google). It acts as a malicious proxy, intercepting and relaying all the information exchanged during the login process.
The primary danger of this method is its ability to bypass traditional multi-factor authentication. When you enter your username, password, and even your one-time MFA code (from an authenticator app or SMS), VoidProxy captures it all in real-time. It then passes this information to the real service, completes the login on your behalf, and most importantly, steals the session cookie.
A session cookie is a small piece of data that a website uses to keep you logged in. Once an attacker has this cookie, they can place it in their own browser and gain complete access to your account without ever needing your password or MFA code again, at least until the session expires.
How the VoidProxy Attack Unfolds
The attack chain is deceptive and highly effective, exploiting user trust at every step.
The Lure: The attack begins with a carefully crafted phishing email. This email might appear to be a legitimate notification, such as a file-sharing alert, a security warning, or an urgent request from a colleague, tricking the user into clicking a malicious link.
The Deceptive Redirect: The link takes the user to a phishing page hosted by the VoidProxy framework. This page is a pixel-perfect replica of the genuine Microsoft 365 or Google login portal, making it nearly impossible to spot as a fake based on appearance alone.
The Credential Relay: As the user enters their email and password, the AiTM platform immediately forwards them to the legitimate service.
The MFA Interception: When the real service prompts for MFA, the fake page presents the exact same prompt to the user. The user, believing the process is secure, enters their one-time code or approves the push notification.
Session Cookie Theft: VoidProxy intercepts the MFA response and the resulting session cookie that is generated upon successful authentication. This session cookie is the attacker’s ultimate prize.
With the session hijacked, the attacker has a direct, authenticated gateway into the victim’s account. They can access emails, steal sensitive files from SharePoint or Google Drive, and use the compromised account to launch further attacks, such as Business Email Compromise (BEC) scams.
How to Protect Your Accounts from AiTM Phishing Attacks
As threats like VoidProxy become more common, relying solely on traditional MFA is no longer enough. Organizations and individuals must adopt a more resilient security posture.
Here are essential steps you can take to defend against these advanced attacks:
Implement Phishing-Resistant MFA: The most effective defense is to move beyond codes and push notifications. Adopt phishing-resistant authentication methods like FIDO2 security keys (e.g., YubiKey) or platform-based biometrics (e.g., Windows Hello or Apple’s Face ID/Touch ID). These methods create a cryptographic bond between your device and the service, which an AiTM attack cannot intercept or replicate.
Train Users to Be Vigilant: Continuous security awareness training is crucial. Teach employees to always scrutinize the URL in the browser’s address bar before entering credentials. A fake login page may look identical, but the domain name will be incorrect. Encourage a culture of suspicion toward unsolicited emails that create a sense of urgency.
Deploy Advanced Security Solutions: Use modern email security gateways that can analyze links and detect sophisticated phishing attempts. On the endpoint, ensure you have robust security software that can identify and block connections to malicious sites.
Monitor for Suspicious Activity: Actively monitor login activity for your accounts. Look for logins from unusual locations or at odd hours. For organizations, implementing Conditional Access policies in Microsoft 365 can block logins from non-compliant devices or untrusted networks, adding another powerful layer of defense.
The emergence of Phishing-as-a-Service platforms like VoidProxy demonstrates the commercialization and growing sophistication of cybercrime. Staying vigilant and upgrading your security measures from traditional MFA to phishing-resistant solutions is no longer just a recommendation—it is an essential step in protecting your most critical digital assets.
Source: https://www.bleepingcomputer.com/news/security/new-voidproxy-phishing-service-targets-microsoft-365-google-accounts/
