A Closed-Access Phishing Platform Emerges
Security researchers at Abnormal have identified a previously undocumented phishing-as-a-service (PhaaS) platform, dubbed VENOM, that has been actively targeting the Microsoft account credentials of senior corporate executives. The operation has been running since at least November 2025 and focuses specifically on individuals holding C-suite roles — including CEOs, CFOs, and Vice Presidents — across a range of industries.
What makes VENOM particularly notable is its apparent closed-access model. Unlike many PhaaS offerings that are openly advertised on underground forums and dark web marketplaces, VENOM has not been promoted on any public channels. This deliberate low profile limits exposure to security researchers while still allowing threat actors using the platform to conduct highly targeted campaigns.
How the VENOM Attack Chain Works
The campaign begins with phishing emails carefully crafted to impersonate Microsoft SharePoint document-sharing notifications, mimicking the kind of internal communications that executives routinely receive. These messages are highly personalized to each target and contain random HTML noise — including fake CSS classes and comment strings — designed to confuse automated email analysis tools.
The attacker also injects fabricated email thread histories that appear tailored to the specific target, lending the messages an air of authenticity. Rather than embedding a traditional hyperlink, the emails present a QR code rendered in Unicode characters. This technique is intended to bypass link-scanning security solutions while simultaneously shifting the attack surface from the desktop environment to the victim's mobile device, where protections may be less robust.
Evasion Through URL Fragment Encoding
Once a victim scans the QR code, they arrive at a landing page that acts as a filtering mechanism. Abnormal's researchers noted a particularly clever evasion tactic built into the URL structure:
"The target's email address is double Base64-encoded in the URL fragment — the portion after the # character. Fragments are never transmitted in HTTP requests, making the target's email invisible to server-side logs and URL reputation feeds."
This means that threat intelligence feeds and server-side logging systems cannot easily detect or flag the encoded target identifier. Security sandboxes and researchers probing the link are redirected to legitimate websites to reduce suspicion, while genuine targets are forwarded to a credential-harvesting page.
Adversary-in-the-Middle and Device Code Phishing
For victims who pass the platform's filtering checks, VENOM serves a credential-harvesting page that operates as an adversary-in-the-middle (AiTM) proxy. This page relays login credentials and multi-factor authentication (MFA) codes to Microsoft's own APIs in real time, capturing the resulting session token for the attacker's use. Because the proxy sits between the victim and a live Microsoft authentication flow, valid MFA codes are intercepted before they expire.
In addition to the AiTM method, Abnormal has also observed VENOM deploying a device code phishing tactic. In this variant, victims are tricked into approving access to their Microsoft account on behalf of a rogue device by entering a legitimate-looking device code. This technique has seen a dramatic surge in popularity over the past year, with at least 11 phishing kits currently offering it as a feature, due largely to its effectiveness and its resistance to simple password resets.
Persistent Access After Authentication
Regardless of which method is used, VENOM moves quickly to establish persistent access during the authentication window. In the AiTM flow, the platform registers a new device on the victim's Microsoft account. In the device code flow, it obtains an access token that grants ongoing account access. Both approaches mean that simply changing a password after the fact may not be sufficient to fully evict the attacker.
Why MFA Is No Longer Enough
The techniques employed by VENOM highlight a critical weakness in conventional MFA defenses. Because the platform intercepts live authentication sessions, standard time-based one-time passwords and push notification approvals offer little meaningful protection against this class of attack.
Abnormal's researchers recommend that C-suite executives and their organizations take the following steps to reduce exposure:
- Adopt FIDO2-compliant hardware authentication, which is resistant to real-time phishing proxy attacks because the authentication is cryptographically bound to the legitimate origin domain.
- Disable device code flow within Microsoft environments when it is not operationally required, removing the attack surface that enables device code phishing entirely.
- Implement stricter conditional access policies in Microsoft Entra ID (formerly Azure Active Directory) to detect and block abnormal token usage patterns that may indicate session hijacking.
Targeting Strategy and Industry Impact
The deliberate focus on high-value executives sets VENOM apart from broad credential-harvesting campaigns that target employees at all levels. By concentrating on CEOs, CFOs, and VPs, the threat actors behind this platform are seeking accounts with elevated access to sensitive financial data, strategic communications, and internal systems — maximizing the potential value of each compromised credential.
The closed-access nature of the platform suggests it may be operated by a skilled group with a selective client base, rather than a mass-market PhaaS operation. This approach also complicates detection and attribution efforts, since researchers cannot easily acquire samples by monitoring public cybercrime forums.
Organizations in sectors where executive compromise carries the highest risk — including finance, legal, healthcare, and technology — should treat VENOM as an active and credible threat, and audit their current authentication configurations accordingly.
Source: BleepingComputer