Phishing at the Pinnacle: VENOM Hackers Target Top Executives with Stealthy Microsoft Credential Heists

It was an ordinary Monday when the CEO of a global finance firm received what looked like a routine Microsoft SharePoint notification. The message was professional, the sender seemed legit, and a QR code promised secure document access. Within minutes, the executive had unwittingly handed over their corporate credentials - not to a trusted colleague, but to a clandestine criminal operation known only as VENOM.

Researchers at cybersecurity firm Abnormal have uncovered a sophisticated phishing campaign that’s been quietly active since at least November. Unlike typical mass phishing blasts, VENOM’s operators focus on high-value targets - CEOs, CFOs, and VPs - crafting emails that not only spoof internal communications but also weave in fake email threads and random HTML noise to evade automated scanners. The attackers’ pièce de résistance? A Unicode-rendered QR code, designed to lure victims into scanning it with their mobile devices, thus sidestepping desktop security tools.

The technical finesse doesn’t stop there. The victim’s email address is double Base64-encoded and embedded in a URL fragment - after the “#” character - making it invisible to server logs and reputation services. Once the QR code is scanned, the victim is funneled through a series of filters that weed out researchers and sandboxed environments, ensuring only genuine targets reach the credential-harvesting page. Here, VENOM’s adversary-in-the-middle (AiTM) technique comes into play, intercepting both credentials and multi-factor authentication codes in real time, and even capturing session tokens for ongoing access.

In a further twist, VENOM also leverages a device-code phishing method. Victims are duped into authorizing a rogue device to access their Microsoft account - a technique now favored by at least 11 other phishing kits due to its resilience against password resets and its ability to maintain persistent access.

What makes VENOM particularly insidious is its closed-access nature. Unlike many PhaaS offerings that advertise on underground forums, VENOM keeps a low profile, limiting its exposure to both law enforcement and security researchers. This secrecy, combined with its technical sophistication, makes it a formidable threat - one that’s outpacing many organizations’ current defenses.

As VENOM’s campaign continues to evolve, experts warn that traditional defenses like MFA are no longer enough. For executives at the top of the corporate hierarchy, only advanced measures - such as FIDO2 authentication and strict conditional access policies - may stand between them and the next big breach. The lesson is clear: in the age of targeted phishing, no one at the top is untouchable.

WIKICROOK

• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• QR Code Phishing: QR code phishing uses malicious QR codes to direct users to fake websites that steal credentials or install malware on their devices.
• Adversary: An adversary is any person or group attempting to breach computer systems or data, often for malicious purposes like theft or disruption.
• Device: A device is any hardware, like a phone or computer, that connects to networks and may store credentials or sensitive data for security purposes.
• FIDO2 Authentication: FIDO2 authentication enables secure, passwordless logins using hardware security keys or biometrics, protecting users from phishing and credential theft.