A sophisticated phishing-as-a-service operation has been targeting Google and Microsoft accounts and can bypass traditional defense mechanisms, including multifactor authentication, researchers at Okta Threat Intelligence warned in a blog post on Thursday,
The phishing operation, dubbed VoidProxy, uses adversary-in-the-middle techniques to bypass normal authentication flow.
Researchers first learned of attacks linked to the operation in January, but Dark Web advertisements for VoidProxy appear to have begun as early as August 2024, according to Okta researchers. The attacks are ongoing, and Okta said they have targeted valuable accounts.
“We have observed high confidence account takeovers in multiple entities,” Okta researchers told Cybersecurity Dive via email. “By extension, we expect Microsoft and Google will have observed a larger number of ATO events, given that VoidProxy proxies non-federated users directly with Microsoft and Google servers.”
The VoidProxy service captures session tokens, MFA codes and credentials, and can bypass MFA methods that use SMS codes or one-time passwords used in authentication apps, according to Okta.
During the early phases of an attack, phishing lures are sent from compromised accounts that use legitimate email service providers, such as Constant Contact, Active Campaign, Notify Visitors and others. By leveraging the reputation of the accounts, spam filters can be avoided, according to Okta.
Attackers can leverage such an operation to conduct follow-on attacks, including business email compromise; move laterally within systems; exfiltrate data from targeted entities; and conduct other activity, according to Okta.
The attacks in certain cases were thwarted by Okta Fastpass, the vendor’s passwordless authentication service, which flagged the malicious activity. Users with phishing-resistant authenticators could neither share credentials nor use VoidProxy infrastructure to sign in, according to Okta.
Okta researchers confirmed they notified Microsoft and Google of the findings and also shared information with SaaS partners and warned Okta customers about the phishing operation on Monday.
The structure of the operation effectively lowers the technical barrier required for a threat actor to launch their own phishing operation against a targeted organization, the researchers said.
“We regularly see new phishing campaigns like this pop up, which is why we design durable protections to keep users safe from these types of attacks,” a Google spokesperson told Cybersecurity Dive.
The safeguards include protection against domain spoofing, phishing links and compromised senders, according to the spokesperson.
Google agrees with recommendations in the Okta report that users should adopt passkeys as a strong method to protect against phishing, the spokesperson added.
Microsoft declined to comment, however a spokesperson provided a link with general mitigation guidance.
