VENOM targets executives

A fake SharePoint note lands in an executive’s inbox, tells them a financial document is waiting, and asks them to scan a Quick Response code with their phone. The people getting these messages are not random employees but chief executive officers, chief financial officers, presidents, chairmen, and vice presidents picked by name. (bleepingcomputer.com) The engine behind it is a new “phishing as a service” platform called VENOM, which means one group built the attack system and other criminals can run campaigns on top of it. Researchers at Abnormal say the campaign ran from November 2025 through March 2026 and hit targets across more than 20 industry verticals. (abnormal.ai) The email is built to look internal, not external. Abnormal says the sender address is generated from the victim’s own company domain, with examples like a fake SharePoint administrator address, and the footer is customized to mention the target company’s Microsoft 365 environment. (abnormal.ai) The code in the email is also booby-trapped for mail scanners. Abnormal found exactly 13 fake style-sheet classes and exactly 13 fake element IDs stuffed into each message, plus random comments and attributes, so no two emails look identical to detection tools. (abnormal.ai) The Quick Response code is there for a reason. BleepingComputer says it is rendered in Unicode characters so security products have a harder time reading it automatically, and the scan pushes the victim off the desktop mail client and onto a phone, where warning signs are easier to miss. (bleepingcomputer.com) After the scan, the victim does not go straight to the theft page. The first stop is a filter page that checks whether the visitor looks like a real human executive or a security sandbox, and anyone who fails gets sent to a harmless legitimate site instead of the malicious one. (infosecurity-magazine.com) The theft itself happens in one of two ways. In the first, the attacker runs an “adversary in the middle” page, which works like a fake receptionist standing between you and the real office, passing your Microsoft username, password, and multifactor authentication code to Microsoft in real time while copying the session for the attacker. (bleepingcomputer.com) In the second, the victim is tricked into approving Microsoft’s device code flow, which is a legitimate sign-in method meant for devices that cannot type a password easily. Abnormal says that path hands the attacker access tokens directly, so a password reset alone may not kick them out. (infosecurity-magazine.com) That is why this campaign is aimed at the top floor. Abnormal says 60% of titled recipients held a C-level, president, or chairman title, and one stolen executive Microsoft account can expose board mail, finance documents, approvals, and internal conversations without the noisy login patterns that usually come with mass employee compromise. (abnormal.ai) The ugly part is that multifactor authentication is no longer enough on its own here. BleepingComputer reports that researchers recommend phishing-resistant Fast Identity Online version 2 security keys, disabling device code sign-in where it is not needed, and tightening conditional access rules so a single approved login cannot quietly turn into long-term access. (bleepingcomputer.com)