The Register: Hijacker helper VoidProxy boosts Google, Microsoft accounts on demand

Sep 11, 2025

—

Source URL: https://www.theregister.com/2025/09/11/voidproxy_phishing_service/
Source: The Register
Title: Hijacker helper VoidProxy boosts Google, Microsoft accounts on demand

Feedly Summary: Okta uncovers new phishing-as-a-service operation with ‘multiple entities’ falling victim
Multiple attackers using a new phishing service dubbed VoidProxy to target organizations’ Microsoft and Google accounts have successfully stolen users’ credentials, multi-factor authentication codes, and session tokens in real time, according to security researchers.…

AI Summary and Description: Yes

Summary: The text discusses a new phishing-as-a-service operation identified by Okta, named VoidProxy, which exploits multiple organizations by targeting Microsoft and Google accounts. This incident emphasizes the ongoing threat of phishing attacks and highlights the critical need for robust security measures in identity and access management systems.

Detailed Description: The report from Okta reveals a sophisticated phishing operation named VoidProxy, which has gained traction among attackers. This new service presents significant challenges to organizations’ security, particularly those utilizing Microsoft and Google accounts. The implications for security, privacy, and compliance professionals are substantial as they need to enhance defenses against such targeted phishing strategies.

Key points include:

– **Phishing-as-a-Service (PhaaS)**: VoidProxy represents a new wave in cyber threats where attackers are offering phishing as a service that can be easily accessed and utilized by multiple cybercriminals.

– **Credential Theft**: The operation is proficient at stealing not just usernames and passwords, but also multi-factor authentication (MFA) codes and session tokens. This underlines the fact that MFA can be rendered ineffective if the attacker can intercept the codes in real time.

– **Targeted Organizations**: The text notes that multiple entities have fallen victim to this service, signifying that no organization is immune, and any organization using common platforms like Microsoft and Google needs to be vigilant.

– **Security Implications**: This incident emphasizes the necessity for organizations to strengthen their identity and access management practices, consider zero-trust frameworks, and invest in user education to recognize potential phishing attempts.

– **Regulatory Compliance**: Given the nature of data involved, organizations must consider compliance with regulations related to data protection and privacy, such as GDPR or CCPA if they operate in regions where these laws apply.

In conclusion, the emergence of VoidProxy highlights the increasing sophistication of phishing operations and the pressing need for heightened security measures to protect sensitive data and maintain trust in cloud-based services. Organizations must remain proactive in their cybersecurity strategies and ensure that they are using comprehensive approaches to defend against evolving threats.

1 2 2025 5 a aaS access access management account Act age AI All and anti app Arch art as at ated attack attacker attackers attacks authentication AWS based based services boosts by C CCPA challenge challenges CI Cloud cloud-based co code compliance compliance professionals credential credential theft credentials criminals critical cyber cyber threat cyber threats cybercriminal cybercriminals cybersecurit Cybersecurity cybersecurity strategies D data Data Protection de defense defenses demand e education effective end evolving threats exp exploit exploits fact factor authentication factor authentication (MFA) for framework frameworks full g GDPR Gen GIS Go Google Google account H high Highlight HR http HTTPS identity Identity and Access Management implications implications for security in incident inter io J jack Just k Key l law led Li line M man management management practices Management System management systems measures MFA Micro Microsoft multi multi-factor authentication Multi-Factor Authentication (MFA) N needs new NGO no notes o of off Okta on ons oost operation operations organization organizations ory oS over passwords per phi phishing phishing attack Phishing Attacks phishing attempts platform platforms point potential practices pre privacy pro proactive professionals protection proxy ps R rate RCE re real red Region Regions Regulation regulations regulatory regulatory compliance report research researchers Ro robust security robust security measures RoT Rust s search sec security security implications security measure security measures Security Research Security Researcher security researchers security strategies sensitive data service services side Sig size sizes sophistication source SSE stealing strategies system systems T target targeted targeted organizations ted text the theft threat threats Time to token tokens Tor TP trust trust frameworks under US use user user education Users uth V VoidProxy Wi x z zero zero-trust framework