Apr 10, 2026 · 5 min read
A New Phishing Service Is Hunting CEOs—It Steals Microsoft 365 Logins and Bypasses MFA
VENOM is a closed access phishing platform that exclusively targets C suite executives with fake SharePoint emails. It captures credentials and MFA codes in real time, then registers new devices for persistent access.
What Is VENOM
Security researchers at Abnormal discovered a previously undocumented phishing as a service platform called VENOM that has been operating since at least November 2025. Unlike most phishing kits that cast a wide net, VENOM exclusively targets C suite executives: CEOs, CFOs, and VPs across multiple industries.
The platform is closed access with no public advertising, suggesting it operates through invitation or referral among criminal networks. That exclusivity makes it harder for security researchers to analyze and for defenders to anticipate.
How the Attack Works
VENOM uses an adversary in the middle approach that intercepts the authentication process between the victim and Microsoft's servers in real time. The attack chain has several layers designed to avoid detection:
- Personalized lures. Phishing emails impersonate Microsoft SharePoint notifications and include fake email threads with personalized details that make them look like genuine internal communications.
- QR code evasion. Instead of traditional links, some campaigns use Unicode rendered QR codes that bypass email scanning tools and shift the attack to mobile devices where security protections are typically weaker.
- Target filtering. Landing pages check whether the visitor is a legitimate target or a security researcher. Non targets get redirected to benign pages. Real executives reach the credential harvesting page.
- Real time credential capture. The phishing page proxies the actual Microsoft login flow. When the victim enters their password and MFA code, VENOM captures both simultaneously and uses them to authenticate before the code expires.
- Persistent access. Attackers immediately register a new device on the compromised account, ensuring continued access even after the victim changes their password.
The platform also employs a technique called double Base64 encoding to hide target email addresses in URL fragments. Because fragments are not sent to the server, they do not appear in server side logs, making the attack harder to trace forensically.
Why MFA Is Not Enough
Multi factor authentication was supposed to stop credential theft. For years, security teams have told executives that enabling MFA makes their accounts safe. VENOM demonstrates why that advice is now dangerously outdated.
Because the phishing page sits between the victim and Microsoft's actual servers, it captures the MFA code at the exact moment it is entered and replays it instantly. The code is valid, the session is created, and the attacker is in. A password reset does nothing because the attacker has already registered their own device. A separate campaign tracked as Storm-2755 uses the same AiTM technique to hijack corporate email accounts and redirect employee salary payments.
VENOM also uses device code phishing, a technique where victims are tricked into approving rogue device access through Microsoft's legitimate device code flow. At least 11 phishing kits now offer this capability. Microsoft itself reported observing 10 to 15 device code phishing campaigns launching every 24 hours since March 2026, with hundreds of compromises occurring daily.
Why Executives Are the Target
Compromising a CEO or CFO's Microsoft 365 account is far more valuable than breaching a regular employee's account. Executive accounts typically have access to sensitive financial data, board communications, merger and acquisition details, and the authority to approve wire transfers.
A single compromised executive account can enable business email compromise fraud, where attackers impersonate the executive to instruct finance teams to wire money to attacker controlled accounts. The FBI's latest Internet Crime Report found that business email compromise was the second largest driver of the $17.6 billion Americans lost to cyber fraud last year.
How to Protect Your Organization
Traditional MFA cannot stop adversary in the middle attacks. Organizations need to adopt phishing resistant authentication:
- Deploy FIDO2 security keys. Hardware keys like YubiKeys are immune to real time phishing because authentication is bound to the legitimate domain. A fake Microsoft page cannot complete the FIDO2 handshake.
- Disable device code flow. Unless your organization specifically needs device code authentication for headless devices, disable it in Azure AD conditional access policies.
- Enforce conditional access. Require compliant, managed devices for authentication. Block sign ins from unrecognized devices and locations, especially for privileged accounts.
- Monitor for suspicious device registrations. Alert on new devices being registered to executive accounts, particularly outside business hours or from unfamiliar locations.
- Train executives specifically. Generic phishing awareness training is not sufficient. Executives need targeted simulations that replicate the SharePoint lures and QR code tactics VENOM uses.
The Bigger Picture
VENOM is part of a broader shift in the phishing ecosystem. Phishing as a service platforms have lowered the barrier to entry so far that sophisticated attacks once reserved for nation state groups are now available to any criminal willing to pay for access. The Tycoon 2FA platform that Europol seized in March was behind 62% of phishing attacks before its takedown. VENOM appears to be one of the platforms filling that gap.
The message for every organization is the same: if your MFA strategy relies on codes or push notifications, you are not protected against modern phishing. The only authentication methods that resist real time interception are hardware security keys and passkeys. Everything else is a speed bump, not a wall.