Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework

VoidProxy is a recently uncovered Phishing-as-a-Service (PhaaS) framework that uses Adversary-in-the-Middle (AitM) techniques to intercept full authentication flows, including credentials, MFA codes, and session tokens. It targets Microsoft and Google accounts, and can handle cases where those accounts are federated via third-party identity providers like Okta. That means not only non-federated users are at risk; federated login flows (e.g. SP-initiated or IdP-initiated via Okta) are vulnerable. VoidProxy crafts second-stage landing pages after credential collection based on how the affected account is configured.

What makes VoidProxy especially evasive are its layered anti-analysis and infrastructure obfuscation techniques. Among these are: delivery via compromised legitimate ESP (Email Service Provider) accounts to improve sender reputation; embedding phishing links in URL shorteners and chaining multiple redirects to first-stage landing pages; use of low reputation, cheap TLDs (e.g. .icu, .xyz, .top etc.) for throw-away front-end domains; Cloudflare protection (CAPTCHA, use of Cloudflare Workers) to filter out non-human traffic and hide real server IPs; dynamic DNS wildcard services (e.g. services that resolve hostnames with embedded IPs) for backend proxy engines; and a “disposable frontend / resilient backend” architecture, indicating a semi-automated provisioning model for people who “rent” access to VoidProxy campaigns.