New Phishing Platform - Credential Theft Targeting Executives
Basically, a new phishing tool is tricking top executives into giving away their passwords.
A new phishing platform named Venom is targeting C-suite executives, leading to widespread credential theft. This sophisticated campaign uses advanced evasion tactics, raising serious security concerns. Organizations must reassess their defenses against such threats.
What Happened
A significant credential theft campaign has been uncovered, targeting C-suite executives and senior personnel at major organizations globally. Researchers at Abnormal identified this operation, which ran from November 2025 to March 2026, as being powered by a previously undocumented phishing-as-a-service (PhaaS) platform named Venom.
How It Works
The campaign utilized SharePoint document-sharing notifications as lures, enticing CEOs, CFOs, and other high-ranking officials from over 20 industries. These notifications were crafted around financial reports, encouraging targets to scan a QR code embedded in the email. To evade detection, the phishing emails employed multiple tactics, including randomized HTML elements and fabricated email threads that mimicked legitimate corporate communication. This personalization made it challenging for spam filters to catch the malicious emails.
Who's Being Targeted
The primary targets of this campaign are senior executives, specifically those in C-suite roles. This demographic is often seen as a lucrative target due to their access to sensitive company information and decision-making power. The attackers aimed to exploit their trust and familiarity with corporate communication, making them more susceptible to the phishing attempts.
Signs of Infection
Victims who scanned the QR code were directed to a fake verification page designed to filter out non-human traffic. If they passed the checks, they were routed to a credential harvester. The campaign utilized two main methods for credential theft: 1) an adversary-in-the-middle (AiTM) setup that mimicked the victim's real login portal, and 2) a method that tricked victims into approving a device sign-in through Microsoft’s legitimate device code flow.
How to Protect Yourself
Organizations should reassess their reliance on multi-factor authentication (MFA) as a final barrier against such sophisticated attacks. The Venom platform demonstrates that MFA can be rendered ineffective if attackers can silently register secondary devices or exploit valid tokens even after password changes. Companies are encouraged to implement stronger security measures, such as continuous monitoring of account activity and immediate revocation of all active sessions after a breach.
What You Should Do
Given the advanced nature of the Venom PhaaS, organizations must be proactive in their cybersecurity strategies. This includes training employees to recognize phishing attempts, especially those that appear to come from trusted sources. Additionally, regular updates and patches to security systems can help defend against emerging threats like Venom. The discovery of this platform indicates that such capabilities may proliferate, making it crucial for companies to stay vigilant.