Threat actors actively use a previously undocumented phishing-as-a-service (PhaaS) platform called “VENOM” to target credentials of C-suite executives across multiple industries.
Moreover, the operation has remained active since at least last November and specifically targets individuals who serve as CEOs, CFOs, or VPs at their companies.
In addition, VENOM operates as a closed-access platform, as its operators have not promoted it on public channels or underground forums, thereby reducing its exposure to researchers.
Meanwhile, researchers at cybersecurity company Abnormal Security observed phishing emails that impersonate Microsoft SharePoint document-sharing notifications as part of internal communication.
Furthermore, these messages remain highly personalized and include random HTML noise, such as fake CSS classes and comments. At the same time, the attacker injects fake email threads tailored to the target, which increases overall credibility.
QR Code Evasion and Encoding Tactics
Next, the attacker provides a QR code rendered in Unicode for the victim to scan and gain access. Consequently, this technique bypasses traditional scanning tools and shifts the attack vector to mobile devices.
Sample of a phishing email
Source: Abnormal
“The target’s email address is double Base64-encoded in the URL fragment—the portion after the # character,” Abnormal Security researchers explain.
“Fragments are never transmitted in HTTP requests, making the target’s email invisible to server-side logs and URL reputation feeds.”
Then, when the victim scans the QR code, the attacker directs them to a landing page that acts as a filter for security researchers and sandboxed environments. As a result, only real targets proceed to the phishing platform.
Conversely, the system redirects users outside the threat actor’s interest to legitimate websites, which helps reduce suspicion.
Credential Harvesting and Session Hijacking
After that, targets who pass the filtering stage reach a credential-harvesting page that proxies a Microsoft login flow in real time. During this process, the attacker relays credentials and multi-factor authentication (MFA) codes to Microsoft APIs and captures the session token.
VENOM’s AiTM method
Source: Abnormal
Additionally, apart from the adversary-in-the-middle (AiTM) method, Abnormal Security researchers have also observed a device-code phishing tactic, where the attacker tricks the victim into approving access to their Microsoft account for a rogue device.
The device code attack method
Source: Abnormal
Notably, this method has gained significant popularity over the past year due to its effectiveness and resistance to Password resets, with at least 11 Phishing kits currently offering it as an option.
Persistent Access and Security Implications
Finally, in both methods, VENOM quickly establishes Persistent access during the Authentication process. Specifically, in the AiTM flow, the Attacker registers a new device on the Victim’s account. Similarly, in the device code flow, the Attacker obtains a token that also grants account access.
Therefore, researchers emphasize that MFA alone no longer provides sufficient defense. Instead, C-suite executives should adopt FIDO2 Authentication, disable the device code flow when Unnecessary, and block token abuse by Implementing Stricter Conditional access policies.
Source: BleepingComputer, Bill Toulas
Read more at Impreza News
