Dark web phishing service hijacks Microsoft and Google accounts

Cybersecurity threats continue to grow in sophistication, and users of popular services like Microsoft 365 and Google face an increasingly dangerous landscape. These accounts are often targets for attackers due to their widespread use for both personal and corporate communications, file storage, and sensitive data management.

Despite built-in security features such as multi-factor authentication, attackers have developed new methods to bypass these defenses. A newly discovered threat, known as VoidProxy, is a phishing-as-a-service platform designed to hijack Microsoft and Google accounts, even those protected by third-party single sign-on solutions such as Okta.

How VoidProxy hijacks Microsoft and Google accounts

VoidProxy stands out for its advanced and scalable attack approach, making it a serious concern for enterprises and individuals alike. Discovered by Okta Threat Intelligence researchers, the platform employs adversary-in-the-middle tactics. This allows attackers to intercept credentials, multi-factor authentication codes, and session cookies in real time.

VoidProxy begins its attack by sending emails from compromised accounts. These usualy belong to email marketing service providers such as Constant Contact, Active Campaign, and NotifyVisitors. These emails contain shortened links that lead recipients through multiple redirections before landing on a phishing site.

The phishing pages are hosted on disposable, low-cost domains with extensions like .icu, .sbs, .cfd, .xyz, .top, and .home. Cloudflare protects these domains, obscuring their true locations and making takedowns difficult.

Before presenting the phishing form, visitors must pass a Cloudflare CAPTCHA, which helps filter out automated bots and makes the interaction seem legitimate.

Targeted credential theft

When attackers serve a page that convincingly mimics the Microsoft or Google login interface, victims often enter their credentials without suspicion.
VoidProxy forwards these inputs through its adversary-in-the-middle system directly to the legitimate Microsoft or Google servers. This proxying not only steals usernames and passwords but also intercepts two-factor authentication codes and session cookies.

For those who rely on single sign-on providers like Okta, VoidProxy has a second-stage phishing page. This page imitates the official Microsoft 365 or Google SSO flow with Okta, tricking you into submitting sensitive information.

The service’s proxy server relays traffic between the victim and the real service, while simultaneously capturing critical authentication data. Once a session cookie is issued by the legitimate service, VoidProxy duplicates it and makes it accessible to the attacker through an admin panel.

6 ways you can keep your Google or Microsoft account safe

I have listed some steps that you can take to safeguard against VoidProxy and similar threats and keep your online accounts safe.

1) Keep strong antivirus software installed

Strong antivirus software helps detect and block malware that could be used to monitor your online activity or capture keystrokes. While VoidProxy uses phishing pages and proxies traffic rather than installing malware, a strong antivirus software provides a second line of defense by alerting users to suspicious downloads or infected sites.

2) Remove personal data from the internet

Attackers often gather personal information to craft targeted phishing campaigns that appear legitimate. Removing unnecessary personal information from public sources limits what attackers can use to make their phishing attempts more convincing. Using a data removal service helps monitor and remove your personal details from the dark web and public databases, reducing your digital footprint and overall exposure to targeted attacks.

Is your personal information exposed online?

Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.

3) Use strong, unique passwords and a password manager

Phishing attacks like VoidProxy rely on capturing your username and password. Avoid using easily guessable passwords or reusing the same password across multiple services. A password manager can generate complex, random passwords and securely store them, reducing the risk of credential compromise.

Next, see if your email has been exposed in past breaches. Our #1 pick, NordPass, includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

4) Enable two-factor authentication (2FA)

Two-factor authentication adds an extra layer of security by requiring a second verification step, such as a code sent to your phone or generated by an authentication app. Although VoidProxy tries to steal 2FA codes in real time, using one-time password apps makes it difficult for attackers to intercept and reuse codes successfully.

5) Be cautious with email links and verify sources

VoidProxy starts by sending phishing emails from compromised marketing service accounts. You should never click on links in emails that appear suspicious or unexpected, especially those with URL shorteners or multiple redirections. Instead, navigate directly to Microsoft or Google login pages by typing the URL manually or using bookmarks. This prevents being funneled to malicious sites disguised as legitimate.

6) Regularly monitor account activity

Even with strong protections, some threats may slip through. Regularly checking your Microsoft and Google account login history and authorized applications helps detect suspicious logins or devices you do not recognize. Immediately removing unknown devices and forcing re-authentication for sensitive apps reduces the chances that an attacker maintains ongoing access using stolen session cookies.

Related links:

• Shamos malware tricks Mac users with fake fixes
• Capital One Venture X unlocks free airport lounge access
• Notorious people search site returns after massive breach

Kurt’s key takeaway

Cybercriminals are evolving faster than many users and organizations can keep up. This phishing-as-a-service platform is not just a targeted attack tool. It is a scalable, commercial product designed to lower the barrier to cybercrime. The fact that attackers can target even single sign-on setups highlights a dangerous reality. Security layers that were once considered robust are now vulnerable without additional, proactive measures.

Do you believe enough is being done by service providers like Microsoft, Google, and Okta to prevent these kinds of sophisticated attacks? Let us know in the comments below.

FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

Copyright 2025 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.