New VENOM phishing attacks steal senior executives' Microsoft logins

Summary

Threat actors operating a previously undocumented phishing-as-a-service platform called VENOM have been targeting senior executives (CEOs, CFOs, VPs) across multiple industries since November 2025. The campaign uses highly personalized phishing emails impersonating Microsoft SharePoint, Unicode-rendered QR codes to bypass scanning tools, and employs adversary-in-the-middle (AiTM) and device-code phishing tactics to bypass MFA and establish persistent account access. Researchers at Abnormal Security note that the closed-access platform avoids public exposure and uses sophisticated techniques like Base64-encoded email addresses in URL fragments to evade server-side logging and reputation feeds.

Full text

New VENOM phishing attacks steal senior executives' Microsoft logins By Bill Toulas April 9, 2026 05:37 PM 0 Threat actors using a previously undocumented phishing-as-a-service (PhaaS) platform called “VENOM” are targeting credentials of C-suite executives across multiple industries. The operation has been active since at least last November and appears to target specific individuals who serve as CEOs, CFOs, or VPs at their companies. VENOM also seems to be closed access, as it has not been promoted on public channels and underground forums, thus reducing its exposure to researchers. The VENOM attack chain The phishing emails, observed by researchers at cybersecurity company Abnormal, impersonated Microsoft SharePoint document-sharing notifications as part of internal communication. The messages are highly personalized and include random HTML noise such as fake CSS classes and comments. The attacker also injects fake email threads tailored to the target, increasing credibility. A QR code rendered in Unicode is provided for the victim to scan for access. The trick is designed to bypass scanning tools and shift the attack to mobile devices. Sample of a phishing emailSource: Abnormal “The target's email address is double Base64-encoded in the URL fragment—the portion after the # character,” Abnormal researchers explain. “Fragments are never transmitted in HTTP requests, making the target's email invisible to server-side logs and URL reputation feeds.” When the victim scans the QR code, they are taken to a landing page that serves as a filter for security researchers and sandboxed environments, ensuring that only real targets are redirected to the phishing platform. Users outside the threat actor's interest are redirected to legitimate websites to reduce suspicion. Those who pass the tests are taken to a credential-harvesting page that proxies a Microsoft login flow in real time, relaying credentials and multi-factor authentication (MFA) codes to Microsoft APIs and capturing the session token. VENOM's AiTM methodSource: Abnormal Apart from the adversary-in-the-middle (AiTM) method, Abnormal has also observed a device-code phishing tactic in which the victim is tricked into approving access to their Microsoft account for a rogue device. The device code attack methodSource: Abnormal This method has become very popular over the past year due to its effectiveness and resistance to password resets, with at least 11 phishing kits currently offering it as an option. In both methods, VENOM quickly establishes persistent access during the authentication process. In the AiTM flow, it registers a new device on the victim’s account. In the device code flow, it obtains a token that also provides access to the account. The researchers note that MFA is no longer sufficient as a defense. C-suite executives should use FIDO2 authentication, disable the device code flow when not needed, and block token abuse by implementing stricter conditional access policies. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: Device code phishing attacks surge 37x as new kits spread onlineNew EvilTokens service fuels Microsoft device code phishing attacksTycoon2FA phishing platform returns after recent police disruptionEuropol-coordinated action disrupts Tycoon2FA phishing platformPhishing campaign targets freight and logistics orgs in the US, Europe

Indicators of Compromise

• malware — VENOM
• malware — device-code phishing

Entities