VENOM PhaaS targets C-suite Microsoft accounts with QR-based AiTM phishing

A previously undocumented phishing-as-a-service operation dubbed VENOM has been running since November against CEOs, CFOs, and VPs across industries. Abnormal researchers identified the platform as closed-access, kept off public forums and criminal markets to limit visibility to defenders. Lures impersonate Microsoft SharePoint sharing notifications and are heavily personalized, padded with junk HTML and forged email threads to defeat content filters and pass a sniff test.

The technical chain leans on evasion. Targets’ emails are double Base64-encoded in URL fragments — never sent in HTTP requests, so they don’t appear in server logs or reputation feeds. A Unicode-rendered QR code pushes the victim to mobile, bypassing endpoint scanners. Landing pages fingerprint visitors and redirect researchers and sandboxes to legitimate sites, while real targets hit a real-time Microsoft login proxy that relays credentials and MFA codes and captures session tokens. VENOM also runs a parallel device-code flow, tricking users into approving a rogue device — a technique now offered by at least 11 phishing kits.

The operational impact is persistence: AiTM registers a new device on the account; device-code flow yields a token that survives password resets. Standard MFA is bypassed in both paths. Hardening requires FIDO2, disabling device-code flow where unused, and conditional access policies that constrain token reuse.