Senior Executives Targeted by VENOM Phishing for Microsoft Logins
▼ Summary
– A previously undocumented phishing service called VENOM is targeting the login credentials of high-level executives like CEOs and CFOs.
– The attacks use highly personalized emails that impersonate SharePoint notifications and include QR codes to bypass security tools.
– The phishing links hide the target’s email in the URL fragment to avoid detection by server logs and security feeds.
– The platform uses real-time adversary-in-the-middle attacks and device-code phishing to steal credentials and bypass multi-factor authentication.
– Researchers recommend that executives move beyond MFA and adopt FIDO2 security keys while disabling unnecessary authentication methods.
A sophisticated and previously unseen phishing-as-a-service platform, dubbed VENOM, is actively targeting the login credentials of high-level corporate leaders. Since at least November of last year, this operation has focused on executives holding titles like CEO, CFO, and Vice President across various sectors. The platform’s closed-access nature, avoiding promotion on public forums, has helped it fly under the radar of security researchers until now.
Cybersecurity analysts at Abnormal Security have detailed the attack chain. The campaign begins with highly convincing emails that mimic internal Microsoft SharePoint notifications. These messages are not generic blasts, they are highly personalized with tailored fake email threads and random HTML code to appear legitimate. A key component is a QR code rendered in Unicode, a tactic designed to evade email security scanners and shift the interaction to a personal mobile device.
When scanned, the QR code leads to a sophisticated filtering page. This page checks for signs of automated analysis, like sandboxed environments, ensuring only genuine human targets proceed. Others are redirected to legitimate websites to avoid raising alarms. For those who pass, the next step is a credential-harvesting page that acts as a real-time proxy for the Microsoft login process.
This adversary-in-the-middle (AiTM) attack captures usernames, passwords, and crucially, any multi-factor authentication codes entered by the victim. The platform then relays this information to Microsoft’s own servers, capturing the resulting session token to gain access. Abnormal also observed VENOM employing a device-code phishing tactic. Here, the victim is tricked into approving access for a malicious device, granting the attacker a token that bypasses password changes entirely. This method has surged in popularity over the last year due to its effectiveness, with numerous phishing kits now offering it.
In both scenarios, VENOM establishes persistent access almost instantly. The AiTM method registers a new device on the compromised account, while the device-code attack secures a durable access token. These techniques render traditional MFA insufficient as a standalone defense. Security experts now urge organizations to adopt stronger measures for protecting executive accounts. Recommendations include implementing FIDO2 authentication, disabling the device code flow where possible, and enforcing stricter conditional access policies to block token abuse.
(Source: BleepingComputer)
