A newly discovered Fishing-e-Service (PHAAS) platform, named VoidProxy, targets Microsoft 365 and Google accounts, including third-party single sign-on-on-on-on-on-on-on-on-on-on-on.
The platform uses a real-time credentials, multi-factor authentication (MFA) code, and adverse-in-media (AITM) strategy to steal the session cookies.
Was discovered by voidproxy Okta Thret Intelligence Researchers, who describe it as scalable, awaic and sophisticated.
The attack begins with emails from an agreement made in email service providers, such as continuous contact, active campaign, and informed, which contain small links in whicch that sends recipients to the recipients after several redirects.
Malivedy sites are hosted on the disposable low -cost domains.
Visitors are first challenged a cloudflair captcha to filter the bots and increase the spirit of validity, while a cloudflair worker environment is used to filter traffic and load pages.
Source: octa
The selected goals modify a page that mimics a microsoft or Google login, while the rest are funnels on the “reception” page that offers no danger.
If credentials are typed into a fishing form, the requests are estimated through the adverse-in-in-media (AITM) of VoidProxy for the request google or microsoft server.
Source: octa
Federed accounts, like those using Okta for SSO, are redirected to a second-step fishing page, which flows with Okta with Microsoft 365 or Google SSO. These requests were taken out for the OkTT server.
The proxy server of the service performs traffic between the victim and legitimate service when capturing the user name, password and MFA code into transit.
When the valid service issues a session cookie, VoidProxy intercepts him and creates a copy that is made available to the attackers on the administrator panel of the platform.
Source: octa
Octa mentioned that users who enrolled in fishing-resistant authentication such as Okta Fastpass were protected from the flow of VoidProxy attack and received a warning about their account attack.
The recommendations of the researchers include restricting the access of sensitive apps to only managed equipment, implementing risk-based access control, using IP sessions for administrative apps and forcing them to re-certification to try sensitive tasks.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
