{"id":23242,"date":"2025-11-20T09:00:08","date_gmt":"2025-11-20T02:00:08","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=23242"},"modified":"2026-01-20T10:25:21","modified_gmt":"2026-01-20T03:25:21","slug":"voidproxy-threatens-microsoft-and-google-accounts","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/voidproxy-threatens-microsoft-and-google-accounts\/","title":{"rendered":"VoidProxy: New Phishing Service Threatens Microsoft 365 and Google Accounts"},"content":{"rendered":"<div id=\"post-content-wrapper\" class=\"prose prose-base mx-auto mb-10 min-h-30 break-words dark:prose-dark lg:prose-lg\">\n<p><span style=\"font-family: arial, helvetica, sans-serif\">In today&#8217;s digital world, information security (InfoSec) is not just an abstract concept but the first line of defense against sophisticated threats. Recently, cybersecurity researchers discovered a new Phishing-as-a-Service (PhaaS) named <strong>VoidProxy<\/strong>, which targets Microsoft 365 and Google Workspace accounts. This service not only steals login credentials but also bypasses multi-factor authentication (MFA), paving the way for large-scale phishing attacks. This article will analyze VoidProxy in detail based on reliable reports, supplement data from reputable online sources, and illustrate the attack flow with simple diagrams. We will explore how it works in an easy-to-understand manner and provide practical preventive measures.<\/span><\/p>\n<h2 id=\"heading-overview\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Overview<\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Before diving into VoidProxy, let&#8217;s review the basic concept.\u00a0<strong>Phishing<\/strong>\u00a0is a form of attack carried out through fake emails, messages, or websites to steal sensitive information like usernames, passwords, and authentication codes. According to Verizon&#8217;s 2024 Data Breach Investigations Report, phishing accounts for up to 36% of global data breaches. Unlike old-fashioned attacks, modern phishing uses\u00a0<strong>Adversary-in-the-Middle (AitM)<\/strong>\u00a0\u2013 a &#8220;man-in-the-middle&#8221; technique to intercept and manipulate communication between the victim and legitimate servers, allowing it to bypass MFA without needing malware.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">VoidProxy is a prime example of this evolution, turning phishing into an &#8220;outsourced service&#8221; for cybercriminals.<\/span><\/p>\n<h3 id=\"heading-what-is-voidproxy-an-overview-of-this-new-phishing-service\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">What is VoidProxy? An Overview of This New Phishing Service<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">VoidProxy was discovered by the Okta Threat Intelligence team in September 2025 and is described as a &#8220;novel and evasive&#8221; PhaaS platform. It acts as an intermediary &#8220;proxy,&#8221; allowing attackers to create fake websites that look exactly like the login interfaces of Microsoft 365 and Google, collecting all the information needed to access real accounts. According to Okta, this service had been active for at least a few months before being detected, targeting organizations using the cloud to carry out\u00a0<strong>Business Email Compromise (BEC)<\/strong>\u2014a type of attack that causes an average loss of $1.8 million per incident according to the FBI.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Key Features of VoidProxy:<\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Main Targets:<\/strong>\u00a0Microsoft 365 accounts (including Outlook, Teams) and Google Workspace (Gmail, Drive). These platforms store sensitive data, making them a &#8220;gold mine&#8221; for attackers.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Pricing:<\/strong>\u00a0The service is sold on the dark web at an affordable price, around $100-500 per month depending on the package, which includes campaign creation tools and technical support.<\/span><\/li>\n<\/ul>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Evasion Techniques:<\/strong>\u00a0Uses dynamic domains (like random subdomains on legitimate providers) and JavaScript obfuscation to hide activities. It also integrates\u00a0<strong>session token hijacking<\/strong>, allowing attackers to maintain long-term access without needing to log in again.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Impact:<\/strong>\u00a0Can lead to data theft, ransomware, or insider attacks. A report from IBM X-Force Exchange states that VoidProxy has been used in at least 50 campaigns targeting European and American businesses.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">To demonstrate the severity, consider additional data from other sources: According to Cybersecurity Dive, VoidProxy bypassed MFA in 70% of simulated tests, higher than older PhaaS like EvilProxy (only 50%). Additionally, SC Media reports that this service uses AitM techniques to &#8220;relay&#8221; login information to the real site, leaving victims unsuspecting.<\/span><\/p>\n<h3 id=\"heading-attack-flow-of-voidproxy\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">Attack Flow of VoidProxy:<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">VoidProxy operates using a sophisticated AitM model, where the proxy acts as a &#8220;middleman&#8221; between the victim and the legitimate service. Here is the step-by-step attack flow, as easy to understand as an online shopping process being &#8220;interrupted&#8221;:<\/span><\/p>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Phase 1: Initial Phishing Lure<\/strong>\u00a0The victim receives a fake email or message from &#8220;Microsoft\/Google support,&#8221; notifying them of an &#8220;account issue&#8221; and asking them to log in to verify. The email contains a link to a fake domain (e.g., micro-soft[.]fake-domain[.]com).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Phase 2: Fake Login Page<\/strong>\u00a0When clicked, the victim is taken to VoidProxy&#8217;s proxy page, which accurately mimics the original interface. They enter their username and password\u2014this information is recorded immediately.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Phase 3: Bypassing MFA<\/strong>\u00a0The proxy page automatically &#8220;forwards&#8221; the information to the real Microsoft\/Google login page. The victim receives an MFA code (via app or SMS) and enters it into the proxy\u2014the code is also stolen. The proxy then uses the information to authenticate with the real server.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Phase 4: Session Theft and Access<\/strong>\u00a0VoidProxy collects the session token, allowing the attacker to access the account without needing MFA anymore. The victim sees a &#8220;successful login&#8221; and is redirected to the real page, creating a false sense of security.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Phase 5: Data Exploitation<\/strong>\u00a0The attacker uses the access to send phishing emails, download data, or install malware.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">To illustrate clearly, here is the\u00a0<strong>attack flow diagram<\/strong>:<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-23243 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/Anh-chup-man-hinh-2025-11-06-110716-1762410680.png\" alt=\"attack-flow-chart\" width=\"881\" height=\"706\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/Anh-chup-man-hinh-2025-11-06-110716-1762410680.png 881w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/Anh-chup-man-hinh-2025-11-06-110716-1762410680-700x561.png 700w\" sizes=\"(max-width: 881px) 100vw, 881px\" \/><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">This diagram shows how the proxy &#8220;tricks&#8221; both sides: the victim thinks everything is normal, while the attacker has a master key. According to Okta&#8217;s analysis, this technique increases the success rate by 80% compared to traditional phishing.<\/span><\/p>\n<h3 id=\"heading-voidproxy-attacks-in-reality\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">VoidProxy Attacks in Reality<\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Okta&#8217;s Detailed Report:<\/strong>\u00a0Confirms VoidProxy uses custom JavaScript code to handle tokens and has been tracked across 20 related domains.\u00a0<a href=\"https:\/\/sec.okta.com\/articles\/uncloakingvoidproxy\/\" target=\"_blank\" rel=\"noopener nofollow\"><em>Details<\/em><\/a><em>.<\/em><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>CSO Online:<\/strong>\u00a0Highlights the risk of BEC, with an example of a financial company losing $2 million due to a Google account hacked through similar PhaaS.\u00a0<a href=\"https:\/\/www.csoonline.com\/article\/4056512\/voidproxy-phishing-as-a-service-operation-steals-microsoft-google-login-credentials.html\" target=\"_blank\" rel=\"noopener nofollow\"><em>Details.<\/em><\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Cloaked Security Blog:<\/strong>\u00a0Suggests that VoidProxy could combine with AI to create personalized emails, increasing the click rate by 25%.\u00a0<a href=\"https:\/\/www.cloaked.com\/post\/are-your-microsoft-365-or-google-accounts-safe-from-the-new-voidproxy-phishing-attack\" target=\"_blank\" rel=\"noopener nofollow\"><em>Details.<\/em><\/a><\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">This data proves VoidProxy is not a &#8220;rumor&#8221; but a real threat, affecting thousands of users globally.<\/span><\/p>\n<h3 id=\"heading-how-to-prevent-voidproxy-and-similar-phishing-attacks\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">How to Prevent VoidProxy and Similar Phishing Attacks<\/span><\/h3>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong><em>FPT Threat Intelligent<\/em><\/strong>\u00a0<em>recommends<\/em>\u00a0the following simple yet effective protection steps:<\/span><\/p>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Check URLs:<\/strong>\u00a0Always hover over links before clicking; look for signs of spoofing like misspellings or strange domains.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Use Advanced MFA:<\/strong>\u00a0Switch to hardware keys (like YubiKey) instead of SMS, as AitM is harder to bypass.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Detection Tools:<\/strong>\u00a0Deploy email filters like Microsoft Defender or Google Workspace&#8217;s Advanced Protection. According to MojoAuth, these tools block 95% of phishing.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Employee Training:<\/strong>\u00a0Conduct regular phishing simulations to raise awareness.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Account Monitoring:<\/strong>\u00a0Use tools like Okta Verify to detect suspicious logins.<\/span><\/li>\n<\/ol>\n<h2 id=\"heading-references\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 12pt\">References<\/span><\/h2>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-voidproxy-phishing-service-targets-microsoft-365-google-accounts\/\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/www.bleepingcomputer.com\/news\/security\/new-voidproxy-phishing-service-targets-microsoft-365-google-accounts\/<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/sec.okta.com\/articles\/uncloakingvoidproxy\/\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/sec.okta.com\/articles\/uncloakingvoidproxy\/<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.csoonline.com\/article\/4056512\/voidproxy-phishing-as-a-service-operation-steals-microsoft-google-login-credentials.html\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/www.csoonline.com\/article\/4056512\/voidproxy-phishing-as-a-service-operation-steals-microsoft-google-login-credentials.html<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.cloaked.com\/post\/are-your-microsoft-365-or-google-accounts-safe-from-the-new-voidproxy-phishing-attack\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/www.cloaked.com\/post\/are-your-microsoft-365-or-google-accounts-safe-from-the-new-voidproxy-phishing-attack<\/a><\/span><\/li>\n<\/ol>\n<\/div>\n<div class=\"-mt-5 mb-10\">\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Exclusive article by FPT IS Technology Experts<\/strong> <\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><em style=\"font-size: inherit\">Nguyen Van Trung \u2013 FPT IS Cyber Security Center<\/em><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n","protected":false},"author":21,"featured_media":23244,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[789],"dich_vu":[712],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-23242","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","danh_muc_goc_nhin_so-expert-sharing","dich_vu-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/23242","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/23244"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=23242"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=23242"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=23242"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=23242"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=23242"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=23242"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=23242"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=23242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}