New VENOM phishing attacks steal senior executives' Microsoft logins

VENOM: Phishing Attacks Targeting Senior Executives’ Microsoft Logins

Introduction

• A newly documented phishing-as-a-service operation, named VENOM, is targeting credentials held by top executives across diverse industries.
• The campaign has been active since at least last November and appears to focus on individuals serving as CEOs, CFOs, or vice presidents.
• VENOM operates with restricted access, avoiding public channels and underground forums, which lowers its visibility to researchers.

1) The VENOM Attack Chain

• Initial lure: Phishing emails imitate Microsoft SharePoint document-sharing notifications as part of routine internal communication.
• Personalization: Messages are highly tailored and include random HTML noise (fake CSS classes, comments) to increase credibility.
• Contextual threading: Attackers inject plausible email threads to further convince the recipient.
• QR code step: A Unicode-rendered QR code is provided for quick access, designed to work around traditional scanning tools and push the user toward mobile devices.
• Target filtering: A landing page acts as a filter to separate real targets from researchers or sandboxes; non-targets are redirected to legitimate sites to avoid raising suspicion.
• Credential harvesting: Verified targets proceed to a page that proxies a Microsoft login flow in real time, transmitting credentials and MFA codes to Microsoft APIs and capturing the session token.

2) Technical Nuances of the AiTM and Device Code Methods

• Adversary-in-the-middle (AiTM) technique:
• The attacker registers a new device within the victim’s account during the authentication process.
• Real-time credential and MFA data are relayed to the attack infrastructure, enabling persistent access.
• Device code phishing tactic:
• Victims are duped into approving access for a rogue device via device code prompts.
• This method has surged in popularity over the past year and is offered by multiple phishing kits.
• Persistence mechanisms:
• In AiTM, persistence is established by documenting a new device on the victim’s account.
• In device-code scenarios, a token is obtained that also grants access to the account.
• Observed impact:
• The combination of these techniques allows attackers to maintain session access and bypass some normal user verifications.

3) Target Profile and Operational Context

• Target audience: Senior executives in various sectors, including CEOs, CFOs, and VPs, suggesting a strategic focus on high-value accounts.
• Access goals: Credential theft paired with MFA bypass aims to allow ongoing access to corporate environments and sensitive data.
• Platform characteristics:
• VENOM is described as a closed-access platform, implying limited distribution and a controlled user base.
• The operation emphasizes stealth through layered redirection and targeted testing to avoid broad exposure.

4) Defensive Observations and Trends

• MFA limitations:
• Researchers note that MFA alone may no longer be a reliable defense against these flows.
• The sophistication of the AiTM and device code techniques underscores the need for multi-layered controls beyond standard MFA.
• Additional observations:
• The phishing content emphasizes internal communications to improve credibility and likelihood of engagement.
• The use of non-HTTP fragments and encoded elements helps conceal the attack from server-side monitoring tools.
• Platform awareness:
• The VENOM campaign demonstrates how attackers segment and test targets to maximize success while minimizing detection risk.

5) Contextual Visual and Material Evidence

• Visual representations:
• Descriptions and sample images illustrate the malicious email style, the QR code integration, and the landing-to-credential flow.
• Documentation sources:
• Researchers from security firms have analyzed the payload chain, highlighting the real-time credential harvesting and token capture mechanisms.
• Related visual aids:
• Imagery shows the phishing email anatomy and the AiTM-proxy workflow, reinforcing how the attack unfolds in practice.

6) Whitepapers and Diagnostic Frameworks

• Six-surface validation model:
• A whitepaper discusses six validation surfaces for security testing, contrasting automated pentesting with defensive assessment (BAS) to determine where coverage ends.
• The document provides diagnostic questions intended for evaluating tools and controls in real-world scenarios.
• Practical takeaway:
• The framework helps practitioners understand gaps in testing and where to focus defensive investments, without prescribing specific mitigations.

7) Related Topics and Articles

• Device code phishing attacks surge, with new kits spreading online.
• EvilTokens service fuels Microsoft device code phishing attacks.
• Tycoon2FA phishing platform’s resurgence and subsequent disruption.
• Europol-coordinated actions impacting Tycoon2FA.
• Phishing campaigns targeting freight and logistics organizations in the US and Europe.

8) Visual and Platform References

• Platform identity:
• VENOM phishes via a specialized, somewhat opaque platform designed for targeted credential theft.
• Attack components:
• Phishing emails with embedded real-time login flow proxies.
• QR code deployment and Unicode rendering to improve mobile onboarding.
• Research voices:
• Observations and findings attributed to cybersecurity teams tracking spearphishing campaigns and credential theft ecosystems.

Conclusion: Implications for High-Value Accounts

• The VENOM operation demonstrates that credential theft for senior executives can leverage highly personalized social engineering, covert device authorization methods, and credential hijacking through real-time login proxies.
• The combination of AiTM and device code techniques highlights evolving attack surfaces and the diminishing standalone effectiveness of MFA in isolation.
• A nuanced understanding of target-specific phishing flows, stealth redirection, and encoded URL fragments is essential for recognizing and contextualizing these threats within enterprise security discussions.