VoidProxy Targets Microsoft 365 & Google Accounts

A dangerous new online scam called Voidproxy is making waves in the cybersecurity world, and it’s targeting some of the most popular services we use every day.  This phishing service is going after Microsoft 365 and Google accounts with alarming success, and what makes it particularly scary is how it can bypass even the strongest security measures.

The most concerning aspect of VoidProxy is that it can defeat multi-factor authentication, which is supposed to be one of our best defenses against hackers.

Security researchers first spotted attacks from VoidProxy starting in January 2025, but investigations revealed that criminals were advertising this service on the dark web marketplaces as early as August 2024. This means the people behind VoidProxy have been quietly developing and testing their system for months before launching widespread attacks. 

What makes VoidProxy particularly dangerous is how it works as a “crime-as-a-service” platform. This means that even cybercriminals without advanced technical skills can now launch  attacks that were previously only possible for highly skilled hackers. The service provides everything needed to run effective phishing campaigns.

Here’s how a typical VoidProxy attack works; You receive what  an email asking you to log into your Microsoft 365 or Google account. When you click the link and enter your credentials, you’re actually interacting with a fake site that looks identical to the real thing. As you complete your normal login process, including entering security codes from your phone, VoidProxy captures everything in real-time. Most importantly, it steals something called session tokens, which are like digital keys that prove you’ve already logged in successfully. With these tokens, attackers can access your account as if they were you, without having to repeat the login process.

Virtually anyone using Microsoft 365 or Google services could be at risk, but certain groups are particularly attractive targets. Businesses relying on Microsoft 365 for their operations face significant risks due to the valuable data these accounts contain. Educational institutions using Google Workspace or Microsoft education services are also prime targets because they typically have large user bases with varying levels of security awareness. Government agencies and high-profile individuals like executives, researchers, and journalists may be specifically targeted for the sensitive information they possess.

The challenge with VoidProxy is that it’s incredibly difficult to detect. The fake login pages look exactly like the real ones, and because the service uses legitimate-looking web addresses and encrypted communications, it often slips past traditional security measures. 

However, there are steps organizations and individuals can take to protect themselves. Strong email filtering systems can help block phishing emails before they reach users. 

Regular security training should teach people about these advanced attacks and help them identify suspicious login requests. Organizations should implement strict controls that limit login attempts from unusual locations or devices and regularly monitor account activity for signs of unauthorized access.

One of the most effective defenses against these attacks is using physical security keys instead of text messages or apps for multi-factor authentication. These hardware devices are much more resistant to phishing attacks because they can verify they’re communicating with the real service, not a fake one.

As more organizations move their operations to cloud services, the security of these platforms becomes increasingly critical.

Security companies and cloud providers are working to detect and stop VoidProxy campaigns, but the service’s sophisticated design makes this challenging. Organizations need to work closely with their security vendors to ensure their protection systems are updated with the latest information about these threats.

VoidProxy likely represents just the beginning of a new generation of phishing services. Its success will probably inspire similar offerings and drive further innovation in cybercrime. Organizations must prepare for a world where traditional multi-factor authentication may not provide adequate protection against determined attackers.