VoidProxy operates as a subscription-based service for cybercriminals, providing all the infrastructure required for phishing “in a box.”
For a small fee, attackers gain access to servers, domains, fake login pages (“phishlets”), and dashboards to manage stolen data.
The phishing kits capture usernames, passwords, and even one-time passcodes in real time – allowing criminals to bypass traditional multi-factor authentication and take over accounts.
With tens of millions of Microsoft 365 and Google Workspace users across Asia, the potential scale of exposure is significant.
Once compromised, accounts can be exploited to commit fraud, steal data, or disrupt critical business operations, leading to financial loss and reputational damage.
“Criminals don’t need to build the infrastructure required for phishing themselves; they just rent them for a small fee and start stealing passwords and security codes, “said Brett Winterford, VP of Threat Intelligence at Okta.
That lowers the bar so anyone can launch attacks that once required expert hackers,” Winterford said.
Okta has warned that cybercrime is increasingly shifting to an “as-a-service” model, enabling advanced phishing attacks to be launched at scale.
The company says traditional protections such as passwords, SMS codes, and app-based one-time passcodes are no longer sufficient to keep accounts secure.
Once compromised, accounts can be exploited for fraud, data theft, or to disrupt critical business operations — creating direct financial, operational, and reputational risks.
To counter the threat, Okta is urging businesses to strengthen their defences by adopting phishing-resistant authentication methods such as passkeys or its own Okta FastPass.
Okta also recommends that organisations closely monitor for abnormal login activity using adaptive risk detection tools, and that identity security be treated as financial infrastructure — a board-level priority rather than just an IT concern.
For consumers, Okta’s advice is to enable passkeys or phishing-resistant multi-factor authentication wherever available, and to respond quickly to any alerts of unusual account activity.
By taking these measures, both individuals and organisations can reduce the likelihood of falling victim to increasingly sophisticated phishing campaigns.
The Warning
- Cybercrime has shifted to an as-a-service model, making advanced attacks available to almost anyone.
- Traditional log-ins (passwords, SMS codes, and app-based one-time passcodes) can all be bypassed.
- Compromised accounts translate directly into financial loss, fraud, and brand damage.
What to Do Now
For businesses:
- Roll out phishing-resistant authentication such as passkeys or Okta FastPass.
- Monitor for abnormal login behaviour using adaptive risk tools.
- Treat identity as financial infrastructure – a board-level risk, not just an IT issue.
For consumers:
- Enable passkeys or phishing-resistant MFA if available.
- Act immediately if warned about unusual account activity.
About Okta
Okta is the leading independent identity provider, trusted by thousands of organisations worldwide to secure digital interactions.
With solutions that protect against identity-based threats, Okta helps businesses safeguard their most critical assets – their people and data.
