Security researchers uncover VoidProxy, an advanced MFA-bypassing phishing platform

A new, highly evasive phishing service is challenging conventional cybersecurity defenses and bypassing common multi-factor authentication (MFA) methods, according to a detailed analysis from Okta Threat Intelligence.

The previously unreported Phishing-as-a-Service (PhaaS) operation, which its authors named VoidProxy, is a mature, scalable threat used by attackers to target Microsoft and Google accounts.

The service uses Adversary-in-the-Middle (AitM) techniques to intercept authentication flows in real-time, capturing credentials, MFA codes, and any session tokens established during the sign-in event. This capability allows VoidProxy to bypass the protection of several common MFA methods, such as SMS codes and one-time passwords (OTP) from authenticator apps.

"This… phishing infrastructure is fairly advanced both in terms of MFA bypass capabilities and the way in which it was concealed from analysis until now," says Brett Winterford, VP of Okta Threat Intelligence. "It's hosted on ephemeral infrastructure and utilizes multiple methods of evading analysis by threat researchers."

The VoidProxy platform has been able to evade analysis until this point by using multiple layers of anti-analysis features, including compromised email accounts, multiple redirects, Cloudflare CAPTCHAs, Cloudflare Workers, and dynamic DNS services.

The discovery of VoidProxy began after Okta FastPass prevented a targeted user from signing in via the proxy infrastructure. "That signal helped us to scratch away at VoidProxy campaigns until we could get a full picture of this capability, including the admin panels used by threat actors that are paying for access to this service," Winterford explains.

By offering this sophisticated PhaaS, VoidProxy lowers the technical barrier for a wide range of threat actors to execute AitM phishing attacks. Accounts compromised using PhaaS platforms facilitate numerous malicious activities such as Business Email Compromise (BEC), financial fraud, data exfiltration and lateral movement within victim networks.

"The best way to protect your users against threats like VoidProxy is to enroll [them] in phishing resistant authenticators and to enforce phishing resistance in sign-on policies," Winterford adds.

In all attacks observed by the Okta Threat Intelligence team, users enrolled in phishing-resistant authenticators (in this case, Okta FastPass) were unable to share credentials or sign-in via VoidProxy infrastructure, and were warned that their account was under attack.

For more information, a detailed breakdown of anti-analysis techniques, VoidProxy infrastructure, and security recommendations is available on the Okta security blog. Okta customers can also view the complete 20-page threat advisory by signing into security.okta.com.