Are Your Microsoft 365 or Google Accounts Safe from the New VoidProxy Phishing Attack?

‍

In an age where digital security is paramount, a new threat known as VoidProxy has emerged, targeting Microsoft 365 and Google accounts. This phishing-as-a-service platform employs sophisticated adversary-in-the-middle tactics to capture credentials, multi-factor authentication codes, and session cookies, even from accounts safeguarded by Okta SSO. Understanding the nuances of this attack can help you safeguard your data and maintain control over your digital footprint.

‍

What Data Points Were Leaked?

‍

VoidProxy isn’t your run-of-the-mill phishing scam. It’s a service built for cybercriminals, specifically designed to steal sensitive information from Microsoft 365 and Google accounts. The way it operates is cunning: it uses adversary-in-the-middle tactics to intercept data as users try to log in.

‍

What Exactly Gets Stolen?

‍

• Usernames and Passwords: The basics are always at risk. VoidProxy’s phishing pages look real enough to trick even the cautious, collecting login credentials when entered.

• Multi-Factor Authentication (MFA) Codes: Many people trust MFA to keep their accounts safe. VoidProxy is engineered to capture these codes in real-time as users type them in, breaking through a layer of security that most people rely on.

• Session Cookies: This is where things get particularly sneaky. Session cookies are digital “keys” that tell a service you’re already logged in. If an attacker grabs these, they can hijack your session and roam your account without needing your password or MFA again. It’s like someone copying your house key and walking right in, unnoticed.

• Data from SSO-Protected Accounts: Even accounts protected by Okta Single Sign-On (SSO) are on the menu. VoidProxy can intercept credentials and session tokens from these sources, meaning businesses that lean on SSO for extra security aren’t off the hook.

‍

Why Does It Matter?

‍

Most of us keep a treasure trove of sensitive documents, emails, and business data in our Microsoft 365 or Google accounts. With session cookies and MFA codes stolen, attackers can sidestep alerts and access controls. That means they can read your emails, download files, and even set up new phishing attempts using your compromised account.

‍

Quick takeaway: VoidProxy doesn’t just trick you into giving up your password—it takes everything needed to impersonate you online, even if you’re careful.

‍

Should You Be Worried?

‍

If you’re storing anything important—financial records, sensitive emails, or intellectual property—inside a Microsoft 365 or Google account, it’s time to pay attention. VoidProxy’s phishing-as-a-service operation isn’t just another “spray and pray” scam. It’s targeted, persistent, and it’s getting results.

‍

Why Your Account is a Target

‍

Attackers using VoidProxy aren’t just looking for easy marks. They’re after accounts that can give them access to valuable information or systems. Here’s what makes you a likely target:

‍

• Business Users: If you use Microsoft 365 or Google Workspace for work, you’re a bullseye. Corporate data, intellectual property, and even confidential communications are all attractive.

• Personal Data: Even outside of work, your Gmail or Outlook account is a treasure trove—think about everything from receipts to password reset emails.

• Shared Access: If your account is used to access multiple services, a single breach could give attackers a domino effect.

‍

Are SSO and MFA Enough?

‍

You might think logging in with Okta or another Single Sign-On (SSO) provider keeps you safe. Unfortunately, VoidProxy is designed to get around many standard defenses, including SSO and even some multi-factor authentication (MFA) methods.

‍

• Phishing-resistant MFA (like hardware keys or authenticator apps) does offer more protection. Still, VoidProxy can sometimes trick users into handing over even these codes in real time.

• Legacy MFA (such as SMS-based codes) is especially vulnerable, as attackers can intercept or manipulate these more easily.

• Session Hijacking: VoidProxy can capture your authentication session, allowing attackers to bypass security checks entirely—sometimes without you realizing it.

‍

How Does VoidProxy Work?

‍

VoidProxy isn’t just a single phishing site. It’s a toolkit that lets criminals:

‍

• Clone legitimate login pages for Microsoft 365 and Google

• Intercept your credentials and MFA codes as you enter them

• Forward your session in real time, so you never know you’ve been compromised

‍

Attackers can launch convincing phishing campaigns with almost no technical know-how, thanks to this service.

‍

Assessing Your Risk

‍

Ask yourself:

‍

• Do you store sensitive data in your Microsoft 365 or Google accounts?

• Are you responsible for company data or IT administration?

• Do you access your accounts on multiple devices or over unsecured networks?

‍

If the answer is yes to any of these, you’re at risk. The sophistication of VoidProxy means even cautious users can get caught off guard.

‍

Quick Facts

‍

• VoidProxy is actively targeting both individuals and businesses.

• Even advanced security setups aren’t foolproof against real-time phishing.

• Awareness and proactive security measures are your best defense.

‍

When it comes to defending against attacks like VoidProxy, solutions like cloaked can help by protecting your credentials and providing an extra layer of defense against phishing sites. Staying informed and updating your security habits is critical—these threats are evolving fast.

‍

What Should Be Your Next Steps?

‍

Securing your organization against threats like VoidProxy is not about grand gestures—it's about smart, practical steps. Here’s what you should be doing right now:

‍

1. Use Risk-Based Access Controls

‍

Don’t give everyone the keys to the castle. Sensitive applications—HR records, finance dashboards, customer databases—should only be accessible from managed devices. That means devices controlled and monitored by your IT team. If a device isn’t managed, don’t trust it with access to critical apps.

‍

• Segment access: Assign permissions based on user roles and risk profiles.

• Limit exposure: Restrict privileged access to only what’s necessary. No more, no less.

‍

2. Adopt Phishing-Resistant Authentication

‍

Passwords are easy prey for attackers. Multi-factor authentication (MFA) is better, but not all MFA methods are equal. Phishing-resistant methods—think security keys, biometrics, or device-bound passkeys—make it much harder for attackers to sneak in.

‍

• Security keys: Hardware-based keys (like YubiKey or similar) that require physical presence.

• Biometrics: Fingerprint or face ID that can’t be easily shared or stolen.

• Device-bound passkeys: Credentials tied to a device, not just a password sent to your phone.

‍

3. Monitor Account Activity—Relentlessly

‍

It’s not enough to put up barriers. You need to keep an eye on who’s coming and going. Regularly check for:

‍

• Unusual login times or locations

• Failed login attempts in clusters

• Unexpected device registrations

‍

When something doesn’t add up, act fast.

‍

Use Privacy Tools Like Cloaked

‍

For those who want an extra layer of protection, platforms like Cloaked offer features such as masked email addresses, phone numbers, and identity controls. These tools make it harder for attackers to gather intel or impersonate legitimate users, adding another obstacle for phishing and proxy-based attacks.

‍

4. Keep Security Training Real

‍

Phishing emails aren’t going away. Regular, no-nonsense security training helps employees spot suspicious links, urgent requests, and fake login pages. Make it part of your culture, not just a once-a-year checklist.

‍

The basics work, but only if you use them consistently. Tighten access, upgrade authentication, watch for odd behavior, and use modern privacy tools. It’s not flashy—it’s what keeps your data safe.

‍