A previously undocumented phishing-as-a-service platform called VENOM has been targeting Microsoft credentials of C-suite executives across multiple industries since at least last November, according to a technical analysis from Abnormal.
KEY FACTS
- Targets CEOs, CFOs and vice presidents at selected companies.
- Lure Emails impersonate Microsoft SharePoint document-sharing alerts.
- Delivery Victims are told to scan a QR code rendered in Unicode.
- Methods The operation uses adversary-in-the-middle and device-code phishing.
- Defense The report says MFA alone is not enough.
The campaign uses highly personalized messages with fake email threads, random HTML noise and other padding designed to make the messages look like internal communication. The QR code route is meant to bypass traditional scanning tools and move the attack to mobile devices.
After a victim scans the code, a filtering page checks whether the visitor is a security researcher or a sandboxed environment. Only targets of interest are sent onward, while other users are redirected to legitimate sites to lower suspicion.
Those who pass the checks are sent to a credential-harvesting page that proxies a Microsoft login flow in real time. The system relays credentials and multi-factor authentication codes to Microsoft APIs and captures session tokens.
Abnormal also observed a device-code phishing method in which victims are tricked into approving access for a rogue device. In both cases, the platform can quickly establish persistent access during authentication by registering a new device or obtaining a token.
The report says executives should use FIDO2 authentication, disable device-code flow when it is not needed and tighten conditional access policies to reduce token abuse.
WHY IT MATTERS
The campaign shows how phishing kits are evolving to defeat common login defenses and focus on high-value targets. For organizations, the findings underscore the limits of MFA alone when attackers can intercept tokens or abuse device-code approvals.