VENOM: Phishing-as-a-Service Targets Executives

April 10, 2026 Faeem BLOGS 0

A newly uncovered phishing-as-a-service (PhaaS) platform called VENOM is being used to steal Microsoft credentials from C-suite executives across industries. Researchers at Abnormal Security report that the operation has been active since late 2025 and is notable for its closed-access nature, avoiding exposure on public forums.

Attack Chain

  • Email lure: Impersonates Microsoft SharePoint document-sharing notifications.
  • Personalization: Includes fake CSS classes, comments, and injected email threads tailored to the target.
  • QR code trick: Delivered in Unicode, shifting the attack to mobile devices and bypassing scanning tools.
  • Obfuscation: Victim’s email address is double Base64-encoded in the URL fragment, invisible to server-side logs and reputation feeds.
  • Filtering: Landing page redirects non-targets to legitimate sites, ensuring only intended victims reach the phishing platform.

Credential Harvesting

  • AiTM method: Proxies Microsoft login flows in real time, capturing credentials, MFA codes, and session tokens.
  • Device code phishing: Tricks victims into approving rogue devices, granting persistent access resistant to password resets.
  • Persistence: VENOM registers new devices or obtains tokens during authentication, ensuring long-term access.

Why It Matters

  • Target audience: CEOs, CFOs, VPs — individuals with high-value access.
  • MFA bypass: Demonstrates that multi-factor authentication alone is insufficient.
  • Closed ecosystem: VENOM’s limited distribution makes it harder for researchers to track and disrupt.

Defensive Guidance

  • Adopt FIDO2 authentication: Hardware-based security keys provide stronger protection.
  • Disable device code flow: Unless explicitly required, this reduces exposure to rogue device registration.
  • Conditional access policies: Block token abuse and enforce stricter login rules.
  • Executive awareness: Train senior leaders to recognize highly personalized phishing attempts.

Final Thought

VENOM illustrates the professionalization of phishing: closed-access platforms, advanced obfuscation, and MFA bypass techniques aimed squarely at executives. For organizations, this is a reminder that identity protection must evolve beyond passwords and MFA, embracing stronger authentication and continuous monitoring.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.