New 'Venom' Phishing Platform Targets C-Suite Executives with Advanced MFA Bypass Techniques
Researchers at Abnormal Security have uncovered a credential theft campaign from November 2025 to March 2026 targeting C-suite executives via a previously undocumented phishing-as-a-service platform named Venom, which uses AiTM and device code flow to bypass MFA.
A sophisticated credential theft campaign targeting C-suite executives and senior personnel at major global organizations has been uncovered by researchers at Abnormal Security. The campaign, which ran from November 2025 to March 2026, leveraged a previously undocumented phishing-as-a-service (PhaaS) platform called Venom as its engine. The attackers targeted CEOs, CFOs, chairmen, and VP-level executives across over 20 industry verticals, using SharePoint-themed lures with QR codes to initiate the attack.
The lures were crafted as SharePoint document-sharing notifications, often themed around financial reports, and included a QR code embedded directly in the email body. To evade detection, each email featured randomized HTML elements that altered the structure with every send, making signature-based scanning ineffective. Additionally, a fabricated five-message email thread tailored to the target was automatically inserted, using the victim's email prefix as a display name and generating a fake signature with real details. A second, randomly generated persona acted as the correspondent, with message bodies pulling from fixed templates such as meeting requests or financial tables, often with multilingual text to mimic legitimate corporate communication.
Once the victim scanned the QR code, they were directed to a landing page that acted as a fake verification checkpoint. This page filtered out non-human traffic, such as security scanners or sandboxes, ensuring only real human targets proceeded to the credential harvester. Visitors who passed all checks were routed to the harvester, while others hit a dead end with no indication of suspicious activity.
Victims then faced one of two credential-harvesting methods. The first was an adversary-in-the-middle (AiTM) setup that perfectly mimicked the victim's real login portal, complete with company branding, pre-filled email, and the organization's actual identity provider. This setup silently relayed credentials and MFA codes to Microsoft's live systems. The second method avoided login forms entirely by tricking the victim into approving a device sign-in through Microsoft's legitimate device code flow, which handed over access tokens directly to the attacker.
To ensure persistence, the attack employed additional techniques. In AiTM mode, the attacker quietly registered a secondary MFA device on the victim's account, leaving the original authenticator intact and avoiding any visible changes. In device code mode, the stolen refresh token remained valid even after password resets, unless an administrator manually revoked all active sessions—a step most organizations do not take by default. This allowed the attackers to maintain access long after the initial compromise.
The Venom PhaaS platform itself features a licensing and activation model, structured token storage, and a full campaign management interface. At the time of analysis, Venom had not appeared in any public threat intelligence database or been identified in open seller marketplaces or underground forums. According to Abnormal researchers, this campaign is "one of the more technically complete phishing operations we've documented," not for any single novel technique but for how deliberately each component has been engineered to work together.
The discovery of Venom adds a force multiplier dimension to the threat landscape. As a closed-access PhaaS platform with licensing, campaign management, and structured token storage, it suggests that this capability is not limited to a single operator. Organizations should assume that the techniques documented here will proliferate and that defensive strategies relying on MFA as a final barrier require immediate reassessment.