Abnormal Intelligence has documented VENOM, a previously unknown phishing-as-a-service (PhaaS) platform linked to a five-month campaign aimed at C-suite executives across more than 20 industries. Its operators systematically bypass MFA in order to maintain persistent access to Microsoft 365.
Attack Timeline
STEP 1
Spear-phishing email delivery
The target receives a SharePoint document-sharing notification that is dynamically personalized using the target’s own email domain. The sender address, company name, and footer branding are automatically generated to make the message appear internal. The QR code in the email is built entirely from Unicode characters. There is no image file, which leaves scanners with nothing to analyze.
STEP 2
QR code scan on a personal device
Once scanned, the QR code moves the session away from a managed corporate endpoint and onto the target’s personal mobile device. This bypasses corporate proxies and endpoint protection. The target’s email address is double-Base64-encoded inside the URL fragment, which is never transmitted to a server. As a result, it remains invisible to proxy logs and URL reputation feeds.
STEP 3
Verification gate filtering
The URL leads to a fake bot-challenge page that impersonates Cloudflare or Microsoft Defender. Before any content loads, the gate quietly evaluates visitors using User-Agent inspection, live IP reputation checks, hidden honeypot elements, and proof-of-work challenges. Security tools, sandboxes, and researchers are silently redirected to harmless websites. Only genuine human targets are allowed through.
STEP 4
Credential harvesting
Visitors who pass the gate are taken to a Microsoft sign-in page generated in real time from their actual identity provider. It includes the organization’s logo, the target’s pre-filled email address, and the real federated IdP page. In AiTM mode, every credential and MFA code is relayed live to Microsoft’s API as the target enters it. In Device Code mode, the target authenticates directly on microsoft.com, and Microsoft sends the resulting tokens to the attacker’s backend.
STEP 5
Persistence established
Before the browser finishes redirecting, the platform enrolls an attacker-controlled MFA device on the target’s Microsoft 365 account. In Entra ID logs, this appears as a SoftwareTokenActivated event with the display name NO_DEVICE. The target lands on a legitimate Microsoft error page and assumes the issue was just a login glitch. By that point, the attacker’s session is already active.
Social Engineering at Every Stage
What sets VENOM apart is not a single technical feature. The defining factor is how consistently every stage is designed around human psychology.
- The initial lure draws credibility from two sources: trusted internal infrastructure and familiar business workflows. The use of SharePoint, Dropbox, Docusign, DHL, and UPS is deliberate. C-suite executives interact with these platforms every day, in situations where reviewing a document or confirming a delivery feels routine rather than suspicious. The financial report theme adds urgency. Executives expect financial documents to arrive quickly and often act on them without closely reviewing sender details during a busy day.
- Personalization makes the message even more convincing. The sender address is generated from the target’s own domain. The company name appears in the footer. The email reads as though it came from inside the organization. This is not generic phishing. It is a message carefully built to look exactly like something the target’s own company would send.
- The social engineering continues at the verification gate. The fake Cloudflare or Microsoft Defender challenge resembles a routine web safety check the target has likely seen before. Completing it feels like ordinary browsing behavior, not a warning sign. The action being requested is familiar, not unusual.
The credential harvester takes that logic to its endpoint.
The login page shown to the target is not a static imitation. It is a live reflection of the real identity provider, complete with the organization’s logo, the genuine federated sign-in flow, and the email address already filled in. Nothing looks inconsistent with a legitimate sign-in experience. It is indistinguishable from the real page because, in every visible sense, it is the real page, simply relayed through an attacker-controlled intermediary.
In Device Code mode, the social engineering is subtler still. No credential form is shown at all. The lure presents the interaction as Docusign document verification: familiar, simple, and backed by a trusted service. The “verification code” copied and pasted into microsoft.com is framed as part of document access, not account authorization. The target performs a fully legitimate action on Microsoft’s own infrastructure. The compromise occurs entirely in where the resulting tokens are delivered.
Taken together, these techniques exploit two of the most dependable levers in social engineering: authority (Microsoft, SharePoint, Docusign, internal branding) and familiarity (routine workflows carried out every day without much thought). The attack does not require unusual behavior. It relies on actions the target already performs in a context engineered to remove the need for suspicion.
Prevention and Remediation
VENOM is a technical operation whose success depends entirely on the human factor. That is why the most durable defenses are also human-centered.
Train executives specifically, not generically.
Standard phishing awareness is not enough in this case. C-suite personnel face a distinct threat profile: targeted spear-phishing, QR code attacks, and social engineering delivered through voice and SMS. Training needs to reflect that reality. Arsen’s Executive Protection program is built to address this exact gap, using tailored simulations and workshops focused on leadership exposure, including vishing with voice cloning, two-stage attacks, and multi-vector scenarios. Executives who have already experienced these attacks in simulation are far less likely to fall for one unintentionally.
Simulate QR code attacks before attackers do.
QR code phishing is becoming a stronger attack vector because it moves the interaction to unmanaged mobile devices outside corporate security controls. Arsen provides both a QR Code Phishing Test and a QR Code Phishing Simulation to measure exposure and improve recognition before a real incident takes place.
Monitor for the threat signals VENOM leaves behind.
Arsen’s Threat Monitoring capability tracks typosquatted and look-alike domains, as well as data leaks associated with an organization. These are two of the signals attackers use to create personalized lures. Detecting exposed executive data early reduces the attacker’s ability to craft convincing impersonation attempts.
Harden Microsoft 365 configuration.
On the technical side, organizations should restrict Microsoft’s Device Code authentication flow through Conditional Access wherever it is not operationally necessary. Entra ID audit logs should be monitored for SoftwareTokenActivated events with the display name NO_DEVICE, which is the forensic marker VENOM leaves after registering a persistent authenticator. Incident response runbooks need to include explicit revocation of all active sessions, token grants, and unauthorized MFA enrollments in Entra ID. A password reset by itself does not revoke a stolen refresh token.
Layer simulations across all social engineering vectors.
VENOM combines phishing, QR code lures, and impersonation of trusted brands into a single sequence. Effective preparation needs the same range. Arsen’s phishing simulation platform and security awareness training are designed to cover the full spectrum, including spear-phishing, business email compromise, and QR code attacks, so that no single technique remains untested.
Summary
Does MFA protect against the VENOM campaign?
Not reliably. VENOM uses two harvesting modes, and each defeats MFA in a different way. In AiTM mode, credentials and MFA codes are relayed in real time to Microsoft’s live API, allowing the attacker to capture the authenticated session as it is created. In Device Code mode, the target authenticates directly on Microsoft’s infrastructure, and Microsoft delivers the resulting tokens to the attacker. In both scenarios, MFA triggers and completes normally. It does not stop the compromise.
Why are executives specifically targeted rather than all employees?
Executives have the broadest access to sensitive financial information, strategic communications, and organizational authority. A compromised C-suite account is more than a stolen credential. It becomes a trusted launch point. From a CEO’s mailbox, an attacker can initiate business email compromise, approve fraudulent wire transfers, and send lateral phishing messages that carry built-in authority and are difficult to distinguish from legitimate communication.
What makes the VENOM phishing emails so hard to detect?
Each message is generated programmatically and personalized individually from a single input: the target’s email address. The sender domain is derived from the target’s own organization. The company name is inserted into the footer. The QR code is rendered entirely from Unicode characters, with no image file involved. Every message also includes randomized HTML elements so that no two emails produce the same hash or exact string match, which defeats signature-based detection.
What should an organization do if it suspects it was targeted?
The first priority is not a password reset. VENOM can capture OAuth refresh tokens that remain valid even after credentials are changed. Affected organizations need to explicitly revoke all active sessions, token grants, and MFA device registrations in Entra ID. Audit logs should be checked for SoftwareTokenActivated events with the display name NO_DEVICE. Standard incident response runbooks may not currently include these steps, so they should be added in advance.
How can organizations prepare before an attack occurs?
The most effective preparation combines targeted simulations with deliberate training. Executives in particular need exposure to the attack patterns most likely to be used against them: spear-phishing with internal branding, QR code lures, and credential harvesting flows that are indistinguishable from legitimate sign-ins. Arsen’s Executive Protection program is designed for exactly that purpose, alongside OSINT-based exposure monitoring that helps detect threats before they escalate.
If you would like to try the capabilities of the Arsen Security platform free of charge, please leave your contact details in the form below:
