A previously undocumented phishing-as-a-service platform called VENOM is targeting C-suite executives (CEOs, CFOs, VPs) to steal Microsoft credentials. Active since at least November, the platform uses highly personalized emails impersonating Microsoft SharePoint notifications, Unicode-rendered QR codes to evade scanning tools, and double Base64-encoded email addresses in URL fragments to hide targets from server-side logs. Victims who pass bot/researcher filters are sent to a real-time adversary-in-the-middle (AiTM) proxy that captures credentials, MFA codes, and session tokens. VENOM also employs device-code phishing to obtain persistent tokens resistant to password resets. Researchers recommend FIDO2 authentication, disabling device code flow when unused, and stricter conditional access policies, noting that standard MFA is no longer sufficient defense.
Sort: