Threat actors are using a previously undocumented phishing-as-a-service platform called VENOM to target credentials of C-suite executives across multiple industries by impersonating Microsoft SharePoint notifications. The operation employs personalized emails, Unicode QR codes, double Base64-encoded URL fragments, and AiTM/device-code phishing flows to proxy Microsoft logins and capture MFA codes and session tokens. #VENOM #Microsoft
Keypoints
- VENOM is a closed-access phishing-as-a-service platform targeting CEOs, CFOs, and VPs to harvest credentials.
- Phishing emails impersonate Microsoft SharePoint and use personalized fake HTML and injected threads to boost credibility.
- A Unicode-rendered QR code and double Base64-encoded URL fragments hide the target and shift attacks to mobile to evade scanners.
- Landing pages filter out researchers and proxy Microsoft login flows using AiTM and device-code methods to capture MFA codes and session tokens.
- Recommended defenses include adopting FIDO2, disabling device code flows when not needed, and enforcing stricter conditional access policies.