A sophisticated new phishing operation is going after the people at the top. The VENOM phishing campaign, uncovered by researchers at Abnormal AI, has been quietly targeting CEOs, CFOs, and other senior executives since at least November 2025. It uses a purpose-built platform to steal Microsoft 365 credentials and maintain access to corporate accounts — even after victims change their passwords.
The campaign ran through at least March 2026 and hit targets across more than 20 industry sectors. No particular vertical was spared.
What Is the VENOM Phishing Campaign?
VENOM is a phishing-as-a-service (PhaaS) platform — essentially a ready-made toolkit that lets attackers run sophisticated credential theft operations without building the infrastructure themselves. What makes VENOM stand out is its closed-access, invitation-only model. It has never appeared on public forums or dark web marketplaces, so it stayed off researchers’ radar for months.
The platform comes fully loaded. It includes campaign management tools, session token tracking, licensing controls, and storage for raw authentication server responses. That last detail matters because storing OAuth responses means operators may be able to reconstruct access even after tokens expire.
Sixty percent of the campaign’s targets hold C-level, president, or chairman titles. The attackers are deliberately going after decision-makers — people whose accounts, once compromised, open doors to sensitive communications, financial systems, and internal data.
How the Attack Unfolds
The VENOM phishing campaign begins with an email that looks entirely routine. The attacker spoofs the sender address to mimic an internal SharePoint notification, formatted as sharepointadmin@[target’s own domain]. So to the recipient, the message appears to come from inside their own organization.
Each email is also highly personalized and built to avoid detection. The attacker injects fake email threads to add context and credibility. The HTML is deliberately cluttered with random CSS classes and dummy comments, so no two emails look the same to automated scanning tools.
Embedded in the email body is a QR code. But it is not a standard link. The victim’s email address is double Base64-encoded into the URL fragment — the section after the # character. URL fragments never travel in HTTP requests, so the encoded address stays invisible to server-side logs and reputation filters.
When the target scans the code, they first hit a filtering page. That page checks whether the visitor is a real target or a security researcher. Anyone who fails gets redirected to a harmless site like Google. Anyone who passes moves on to the attack itself.
Two Ways VENOM Steals Your Account
Verified targets then encounter one of two attack methods, both built to capture access and hold it.
Adversary-in-the-Middle (AiTM)
The first method presents a convincing Microsoft login page. It pulls in the target company’s logo, prefills the victim’s email address, and for organizations using federated identity, it shows the correct identity provider login screen. When the victim enters their credentials and approves an MFA prompt, that data travels to Microsoft’s APIs in real time. So the attacker captures the live session token before the victim realizes anything went wrong.
To lock in access, VENOM then registers a new MFA device on the victim’s account alongside their existing authenticator. The victim sees no changes. The attacker, however, now has a persistent back door.
Device Code Phishing
The second method skips login forms entirely. Instead, it tricks the victim into approving a sign-in request for what appears to be a legitimate device, exploiting Microsoft’s own device code authentication flow. Rather than stealing a password, the attacker receives an access token directly.
This approach is especially dangerous because the token stays valid even after a password reset. To cut off access, an administrator must manually revoke all active sessions in Entra ID. However, most organizations do not take that step as part of standard incident response. At least 11 separate phishing kits now offer this technique.
Why MFA Is No Longer Enough
Both attack paths in the VENOM phishing campaign are built to defeat standard multi-factor authentication. The AiTM method captures MFA approvals as they happen. The device code method, meanwhile, avoids the MFA challenge entirely.
Because of this, researchers recommend that organizations move beyond traditional MFA and adopt FIDO2 authentication, which resists this class of attack by design. They also advise disabling the device code flow for users who do not need it and tightening conditional access policies in Entra ID. After any suspected compromise, administrators should proactively revoke all active sessions rather than relying on a password reset alone.
Final Thoughts
The VENOM phishing campaign represents a serious escalation in how attackers approach executive targeting. The closed-access model, the layered evasion techniques, the dual attack paths — none of this looks like opportunistic cybercrime. It looks like a disciplined, professional operation built for longevity.
Researchers warn these techniques will not stay contained. As the platform spreads, more operators will gain access to the same capabilities. So organizations that still treat MFA as a final line of defense need to reassess that position now. Phishing has moved well beyond stolen passwords, and VENOM makes that impossible to ignore.
