X-Industry

New VENOM PhaaS Targets C-Suite

Posted by Bill Schenkelberg on April 7, 2026 at 12:05pm

31127771665?profile=RESIZE_400xA new threat intelligence report from Abnormal AI has revealed details of an ongoing, highly sophisticated phishing campaign that has systematically targeted C-suite executives and senior officers across 21 industry sectors over the past five months.  Investigations into the campaign's backend infrastructure led to the discovery of a previously undocumented Phishing-as-a-Service (PhaaS) platform named VENOM.    From November 2025 and through March 2026, this operation demonstrated a marked increase in tactical sophistication, particularly in its evasion techniques and methods for maintaining persistent access to compromised accounts.[1]

The campaign specifically targets C-suite executives and senior personnel, rather than relying on random broad-spectrum attacks.  The report indicates that 60% of titled recipients held a C-level, President, or Chairman title.  Phishing emails impersonate SharePoint document-sharing notifications, often using financial report themes to compel targets to engage.

Crucially, these emails employ QR codes constructed entirely from Unicode characters, removing scannable image files that traditional security solutions might detect and bypassing corporate email security gateways by shifting the interaction to personal mobile devices.

VENOM Phishing Platform - This platform does not appear in any public threat intelligence databases or open marketplaces, suggesting it operates a closed-access distribution model through vetted channels.  VENOM is equipped with licensing and activation features, structured token storage, and a comprehensive campaign management interface, indicating its commercial nature and the likelihood that it is distributed to multiple threat actors.

Advanced Credential Capture & Persistence - The campaign employs two distinct and highly effective methods for credential capture and maintaining long-term access:

  • Adversary-in-the-Middle (AiTM) Relay: This method intercepts credentials and Multi-Factor Authentication (MFA) in real-time. The attacker-controlled relay acts as a proxy between the target and Microsoft's live authentication flow.

In a significant operational capability, an attacker-controlled authenticator is silently registered on the target's Microsoft 365 account before the browser redirects, establishing persistent access even if the target changes their password.

  • Device Code Flow: This particularly insidious technique leverages Microsoft's own OAuth protocol. Targets authenticate directly with microsoft.com, and Microsoft then delivers access and refresh tokens straight to the attacker's backend.

This means no credential form is ever presented to the target, by passing traditional detection methods entirely.  Captured OAuth refresh tokens provide ongoing access, effectively neutralizing MFA by operating within its framework, rather than attempting to bypass it.

Both methods are designed to convert a single authentication event into long-term account access, rendering standard MFA solutions largely ineffective against these specific attack vectors.

Impact & Visibility - The deliberate focus on C-suite executives, who possess the broadest access to sensitive data and authority, amplifies the potential impact of each successful compromise.  Such compromised accounts can serve as trusted launchpads for Business Email Compromise (BEC), fraudulent wire transfers, and lateral phishing attacks targeting other high-value individuals within an organization.

The campaign is engineered for invisibility at multiple stages. Unicode QR codes leave no image for scanners, and URL fragments used to convey target identifiers are invisible to server logs and proxy infrastructure.  The harvesting domains present benign, AI-generated business websites to anyone without the correct activation fragment, further hindering forensic analysis.

Recommendations for Defense - Organizations are urged to reassess their security postures considering these findings. Abnormal AI recommends the following strategic actions for Chief Information Security Officers (CISOs):

  • Revoke Sessions, Tokens, and Enrolled Devices: Incident response plans should include the revocation of all active sessions, token grants, and unauthorized MFA registrations in Entra ID following a compromise.
  • Audit and Monitor MFA Device Registrations: Regularly monitor Entra ID audit logs for unexpected `SoftwareTokenActivated` events, particularly those with the display name `NO_DEVICE`, and alert on MFA device additions outside IT-managed workflows.
  • Restrict Device Code Authentication Flows: Evaluate the operational necessity of Microsoft’s Device Code flow and disable it via Conditional Access where it is not required, closing a significant token-capture pathway.
  • Harden QR Code and Mobile-Redirect Defenses: Deploy email security solutions capable of detecting text-based QR code rendering techniques and review policies governing corporate resource access from unmanaged devices.
  • Deploy Behavioral Email and Account Protection: Implement AI-driven security to detect highly personalized phishing content and behavior-based account monitoring to identify anomalous sign-ins, token usage, and unexpected MFA changes.

The campaign highlights a significant evolution in phishing tactics, where technical sophistication and the commercialization of advanced tools like VENOM pose a substantial challenge to traditional security measures.

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC).  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5207428251321676122

[1] https://www.cybersecurityintelligence.com/blog/new-phishing-campaign-targets-c-suite-executives--9253.html

Views: 5
Tags: tr-26-096-005, phaas, venom, phishing, c-suite, executives, aitm, sharepoint
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!