Okta Uncovers VoidProxy: Advanced Phishing Service Bypassing MFA Protections

SAN FRANCISCO, September 12, 2025 — A newly discovered phishing service is raising alarms across the cybersecurity industry after Okta Threat Intelligence revealed it can bypass common multi-factor authentication (MFA) defenses used to protect Microsoft and Google accounts.

The Phishing-as-a-Service (PhaaS) operation, dubbed VoidProxy, deploys advanced Adversary-in-the-Middle (AitM) techniques to intercept login sessions in real time. By capturing usernames, MFA codes, and session tokens, VoidProxy enables attackers to sidestep safeguards like SMS one-time passwords and authenticator apps.

“This… phishing infrastructure is fairly advanced both in terms of MFA bypass capabilities and the way in which it was concealed from analysis until now,” said Brett Winterford, VP of Okta Threat Intelligence. “It’s hosted on ephemeral infrastructure and utilizes multiple methods of evading analysis by threat researchers.”

Okta researchers say VoidProxy remained hidden by layering multiple anti-analysis measures, including compromised email accounts, dynamic DNS, Cloudflare CAPTCHAs, Cloudflare Workers, and multiple redirects.

The breakthrough came when Okta FastPass blocked a targeted user from logging in through the proxy, tipping off analysts to a broader campaign. “That signal helped us to scratch away at VoidProxy campaigns until we could get a full picture of this capability, including the admin panels used by threat actors that are paying for access to this service,” Winterford explained.

By commercialising such tools, VoidProxy lowers the technical barriers for cybercriminals. Compromised accounts can be exploited for business email compromise (BEC), fraud, data theft, and further intrusions into corporate networks.

“The best way to protect your users against threats like VoidProxy is to enroll [them] in phishing-resistant authenticators and to enforce phishing resistance in sign-on policies,” Winterford added.

Last month, Okta launched the Auth0 Customer Detection Catalog, an open-source toolkit designed to help security teams proactively detect and respond to emerging threats within their Auth0 environments.

During the same time, the identity and access management company acquired Axiom Security, a Tel Aviv-based startup offering a cloud-native, identity-centric Privileged Access Management (PAM) platform.