Full Report
Threat actors using a previously undocumented phishing-as-a-service (PhaaS) platform called "VENOM" are targeting credentials of C-suite executives across multiple industries. [...]
Analysis Summary
# Incident Report: VENOM Phishing Campaign Targeting C-Suite Executives
## Executive Summary
A sophisticated Phishing-as-a-Service (PhaaS) platform identified as "VENOM" has been targeting high-level executives (CEOs, CFOs, VPs) to steal Microsoft credentials and session tokens. Utilizing Adversary-in-the-Middle (AiTM) and device-code phishing techniques, attackers successfully bypass multi-factor authentication (MFA) to establish persistent access. The campaign is highly targeted, localized to mobile devices via QR codes, and uses advanced evasion techniques to remain invisible to traditional security scanners.
## Incident Details
- **Discovery Date:** April 9, 2026 (Public Reporting)
- **Incident Date:** Active since at least November 2025
- **Affected Organization:** Multiple undisclosed organizations
- **Sector:** Multi-industry (Cross-sector)
- **Geography:** Global / Targeted Individual focus
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing since Nov 2025
- **Vector:** Phishing via impersonated Microsoft SharePoint notifications.
- **Details:** Attackers send personalized emails containing Unicode-rendered QR codes. The target's email is double Base64-encoded in the URL fragment to hide it from server-side logs and reputation feeds.
### Lateral Movement
- **Details:** Once the session token or device code is acquired, attackers register their own "rogue" devices or use the captured tokens to access corporate resources, acting as the authenticated executive.
### Data Exfiltration/Impact
- **Details:** Theft of Microsoft account credentials and session tokens. Real-time interception of multi-factor authentication (MFA) codes allows for account takeover and persistence within the Microsoft 365 environment.
### Detection & Response
- **How it was discovered:** Identified by researchers at Abnormal Security through behavioral analysis of PhaaS infrastructure.
- **Response actions taken:** Analysis of the VENOM attack chain; notification of the security community regarding AiTM and device-code phishing trends.
## Attack Methodology
- **Initial Access:** Spear-phishing via SharePoint lures and Unicode QR codes.
- **Persistence:** Registration of rogue devices on the victim’s account or acquisition of long-lived tokens via device-code flow.
- **Privilege Escalation:** Targeting C-suite accounts (inherent high-level access).
- **Defense Evasion:** Use of URL fragments (#) for encoding (invisible to servers), HTML noise/fake CSS to confuse scanners, and "filter" landing pages to redirect security researchers/sandboxes to legitimate sites.
- **Credential Access:** AiTM (Adversary-in-the-Middle) proxying of Microsoft login flows and device-code phishing.
- **Discovery:** Selection of high-value targets (CEOs, CFOs) through reconnaissance.
- **Lateral Movement:** Utilizing authenticated sessions to access internal SharePoint/Email data.
- **Collection:** Interception of MFA codes and session tokens in real time.
- **Exfiltration:** Transfer of harvested credentials to the private VENOM PhaaS backend.
- **Impact:** Complete account takeover and unauthorized access to sensitive executive communications.
## Impact Assessment
- **Financial:** High potential loss due to Executive Business Email Compromise (BEC) and wire fraud.
- **Data Breach:** Compromise of sensitive executive-level emails and corporate SharePoint documents.
- **Operational:** High; unauthorized device registration permits persistent backdoors.
- **Reputational:** High; compromise of organizational leadership.
## Indicators of Compromise
- **Network Indicators:** Links containing double Base64-encoded fragments (e.g., `hxxps[:]//example[.]com/page#<encoded_data>`).
- **Behavioral Indicators:**
- Unexpected Microsoft device registrations from unfamiliar locations.
- Logins where the URL fragment contains sensitive user information.
- Use of Microsoft Device Code flow from mobile devices for unplanned authentications.
## Response Actions
- **Containment:** Revoke all active sessions for identified compromised executive accounts.
- **Eradication:** Remove "Rogue" devices registered during the incident from the Microsoft Entra ID (Azure AD) portal.
- **Recovery:** Force password resets and mandate the re-enrollment of MFA using hardware keys.
## Lessons Learned
- **Key Takeaways:** Standard MFA (SMS/Push) is no longer a "silver bullet" against modern AiTM phishing kits like VENOM.
- **Visibility Gaps:** URL reputation feeds and server logs often miss data contained in URL fragments (#), creating a blind spot for security teams.
## Recommendations
- **Authentication:** Implement FIDO2-compliant hardware security keys (e.g., YubiKeys) for all C-suite executives to prevent AiTM harvesting.
- **Policy:** Implement "Conditional Access" policies that require "Compliant" or "Company-managed" devices for sensitive logins.
- **Configuration:** Disable the Microsoft Device Code flow for users who do not require it for specific administrative tasks.
- **Education:** Specifically train high-value targets on the dangers of scanning QR codes in emails (Quishing).