Threat actors are leveraging a previously undocumented phishing-as-a-service (PhaaS) platform called **VENOM** to target the credentials of C-suite executives in multiple sectors. This operation, active since at least last November, specifically targets individuals holding positions such as CEOs, CFOs, and VPs. **VENOM** appears to be a closed-access platform, lacking promotion on public channels or underground forums, thereby limiting its exposure to security researchers. ### The VENOM Attack Chain The phishing emails, observed by researchers at **Abnormal**, impersonate **Microsoft SharePoint** document-sharing notifications, mimicking internal communications. The messages are highly personalized, incorporating random HTML noise like fake CSS classes and comments. Attackers also inject fake email threads tailored to the target, enhancing credibility. A QR code rendered in Unicode is provided for the victim to scan. This tactic is designed to bypass scanning tools and shift the attack to mobile devices.  "The target's email address is double Base64-encoded in the URL fragment—the portion after the # character,” **Abnormal** researchers explain. “Fragments are never transmitted in HTTP requests, making the target's email invisible to server-side logs and URL reputation feeds.” Upon scanning the QR code, victims are directed to a landing page that filters out security researchers and sandboxed environments, ensuring only genuine targets are redirected to the phishing platform. Users deemed outside the attacker's interest are redirected to legitimate websites to avoid raising suspicion. Those who pass the tests are taken to a credential-harvesting page that proxies a **Microsoft** login flow in real time, relaying credentials and multi-factor authentication (MFA) codes to **Microsoft** APIs and capturing the session token.  Besides the adversary-in-the-middle (AiTM) technique, **Abnormal** has also observed a device-code phishing tactic where victims are tricked into approving access to their **Microsoft** account for a rogue device.  This method has gained popularity due to its effectiveness and resistance to password resets, with at least 11 phishing kits offering it. In both methods, **VENOM** quickly establishes persistent access during the authentication process. In the AiTM flow, it registers a new device on the victim’s account. In the device code flow, it obtains a token that also provides access to the account. Researchers emphasize that MFA alone is no longer a sufficient defense. C-suite executives should adopt FIDO2 authentication, disable the device code flow when not necessary, and implement stricter conditional access policies to block token abuse.