New Phishing-as-a-Service Platform "VENOM" Targets C-Suite Executives
A previously undocumented phishing-as-a-service (PhaaS) platform, dubbed VENOM, has been actively targeting high-level executives including CEOs, CFOs, and VPs across multiple industries since at least November 2023. The operation, uncovered by researchers at Abnormal, remains closed-access, avoiding public promotion on underground forums and limiting visibility to security teams.
VENOM’s attack chain begins with highly personalized phishing emails impersonating Microsoft SharePoint document-sharing notifications. These messages include fake email threads, HTML noise, and Unicode-rendered QR codes to evade detection. The QR codes, designed to shift the attack to mobile devices, contain double Base64-encoded email addresses in URL fragments preventing server-side logging and reputation-based blocking.
When scanned, the QR code directs victims to a filtering landing page that screens for security researchers and sandboxed environments. Legitimate targets are redirected to a credential-harvesting page that proxies Microsoft’s login flow in real time, capturing credentials, multi-factor authentication (MFA) codes, and session tokens via an adversary-in-the-middle (AiTM) technique.
VENOM also employs a device-code phishing tactic, tricking victims into approving access for a rogue device a method gaining popularity due to its resistance to password resets. At least 11 phishing kits now offer this option. In both attack flows, VENOM establishes persistent access by registering new devices or obtaining tokens, bypassing traditional MFA protections.
Researchers emphasize that while MFA remains critical, FIDO2 authentication, disabling unused device-code flows, and stricter conditional access policies are necessary to mitigate such threats.
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "MIC1775773455",
"linkid": "microsoft-security-response-center",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': ['Multiple industries'],
'type': 'C-Suite Executives (CEOs, CFOs, VPs)'}],
'attack_vector': ['Phishing emails',
'QR codes',
'Adversary-in-the-Middle (AiTM)',
'Device-code phishing'],
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'MFA codes',
'Session tokens']},
'date_detected': '2023-11-01',
'description': 'A previously undocumented phishing-as-a-service (PhaaS) '
'platform, dubbed VENOM, has been actively targeting '
'high-level executives including CEOs, CFOs, and VPs across '
'multiple industries since at least November 2023. The '
'operation employs highly personalized phishing emails '
'impersonating Microsoft SharePoint document-sharing '
'notifications, using fake email threads, HTML noise, and '
'Unicode-rendered QR codes to evade detection. The QR codes '
'direct victims to a credential-harvesting page that proxies '
'Microsoft’s login flow in real time, capturing credentials, '
'MFA codes, and session tokens via an adversary-in-the-middle '
'(AiTM) technique. VENOM also uses device-code phishing to '
'establish persistent access.',
'impact': {'data_compromised': ['Credentials', 'MFA codes', 'Session tokens'],
'identity_theft_risk': 'High',
'operational_impact': 'Persistent unauthorized access to corporate '
'systems',
'systems_affected': ['Microsoft SharePoint',
'Microsoft login flows']},
'initial_access_broker': {'backdoors_established': ['Persistent access via '
'device registration or '
'tokens'],
'entry_point': ['Phishing emails', 'QR codes'],
'high_value_targets': ['C-Suite Executives (CEOs, '
'CFOs, VPs)']},
'investigation_status': 'Ongoing',
'lessons_learned': 'MFA alone is insufficient; FIDO2 authentication, '
'disabling unused device-code flows, and stricter '
'conditional access policies are necessary to mitigate '
'such threats.',
'motivation': 'Financial gain, credential theft, persistent access',
'post_incident_analysis': {'corrective_actions': ['Implement FIDO2 '
'authentication',
'Disable unused device-code '
'flows',
'Enforce stricter '
'conditional access '
'policies'],
'root_causes': ['Lack of FIDO2 authentication',
'Enabled device-code flows',
'Insufficient phishing detection '
'for QR codes and AiTM attacks']},
'recommendations': ['Implement FIDO2 authentication',
'Disable unused device-code flows',
'Enforce stricter conditional access policies',
'Enhance phishing detection for QR codes and AiTM '
'attacks'],
'references': [{'source': 'Abnormal'}],
'response': {'third_party_assistance': 'Abnormal (security researchers)'},
'threat_actor': 'VENOM (Phishing-as-a-Service platform)',
'title': "New Phishing-as-a-Service Platform 'VENOM' Targets C-Suite "
'Executives',
'type': 'Phishing-as-a-Service (PhaaS)',
'vulnerability_exploited': ['MFA bypass',
'Session token hijacking',
'Credential harvesting']}