A newly discovered phishing-as-a-service (PhaaS) platform named VENOM is being used in highly targeted attacks against senior executives, enabling attackers to steal Microsoft credentials, bypass MFA protections, and gain persistent access to corporate accounts.

Key Details at a Glance

What is the VENOM Phishing Campaign?

Security researchers have uncovered VENOM, a previously undocumented phishing platform designed to target high-value individuals within organizations. Unlike mass phishing campaigns, VENOM focuses on precision targeting, going after executives such as CEOs, CFOs, and VPs across industries.

The campaign has reportedly been active since at least late 2025 and operates as a closed-access toolkit, meaning it is not openly sold on underground forums—making it harder for defenders to track.

How the Attack Works

1. Highly Personalized Phishing Emails

Attackers impersonate Microsoft SharePoint document-sharing notifications, making emails appear like legitimate internal communications.

• Includes fake email threads tailored to the target

• Injects random HTML noise to evade detection

• Crafted specifically for individual executives

This level of personalization significantly increases the likelihood of success.

2. QR Code-Based Delivery (Quishing Evolution)

Instead of traditional phishing links, VENOM uses QR codes rendered in Unicode characters:

• Bypasses email security scanners

• Forces victims to switch to mobile devices

• Evades URL-based detection systems

Once scanned, the victim is redirected to the next stage of the attack.

3. Anti-Detection Filtering Layer

Before showing the phishing page, victims pass through a verification checkpoint:

• Filters out bots, sandboxes, and researchers

• Redirects non-targets to legitimate sites

• Ensures only intended victims proceed

This significantly reduces exposure and takedown risk.

4. Credential Harvesting via AiTM

VENOM uses an Adversary-in-the-Middle (AiTM) technique:

• Proxies a real Microsoft login session

• Captures credentials and MFA codes in real time

• Sends authentication data to Microsoft APIs

This allows attackers to hijack sessions instantly.

5. Device Code Phishing (Advanced Technique)

In parallel, VENOM leverages Microsoft device code authentication flows:

• Tricks users into approving login for a rogue device

• Grants attackers access tokens instead of passwords

• Remains effective even after password resets

This method has gained popularity due to its resilience against traditional defenses.

Why This Attack is Dangerous

VENOM demonstrates a shift from generic phishing to targeted, stealthy, and MFA-resistant attacks:

• Executive targeting increases business impact

• MFA bypass techniques render traditional protections insufficient

• Social engineering + technical evasion improves success rates

• Persistent access via tokens/device registration

In both attack paths, attackers can quickly establish long-term access to compromised accounts.

Indicators of Compromise (IOCs)

How to Defend Against VENOM

Organizations—especially leadership teams—should implement the following defenses:

Strengthen Authentication

• Enforce FIDO2/passkey-based authentication

• Disable device code flow where unnecessary

Improve Detection

• Monitor anomalous login patterns

• Track new device registrations

• Analyze OAuth/token usage anomalies

Email Security Awareness

• Train executives to identify:

  • QR-based phishing attempts

  • Unusual SharePoint notifications

  • Requests involving urgent document access

Conditional Access Controls

• Restrict access based on:

  • Device trust

  • Location anomalies

  • Risk-based authentication signals

ClearPhish Insight

VENOM is a clear example of how phishing is evolving beyond simple credential theft into session hijacking and identity takeover.

Traditional awareness training is no longer enough. Organizations must simulate real-world attack paths, including:

• QR phishing scenarios

• MFA fatigue and bypass attempts

• Device code abuse simulations

This is exactly where platforms like ClearPhish help—by exposing employees (and executives) to hyper-realistic phishing simulations that mirror campaigns like VENOM.

Final Thoughts

The VENOM phishing campaign underscores a critical reality:

MFA alone is no longer a silver bullet.

As attackers combine social engineering, advanced phishing kits, and authentication abuse, defenders must adopt a layered approach—blending user awareness, strong authentication, and behavioral detection.

For organizations, the question is no longer if executives will be targeted—but how prepared they are when it happens.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.