Spear-Phishing Campaign Neutralizes MFA for Executives
Basically, hackers are tricking executives into giving up their passwords and bypassing security measures.
A new spear-phishing campaign is targeting senior executives, neutralizing MFA protections. This poses serious risks to corporate security. Organizations must enhance their defenses against such sophisticated threats.
What Happened
A highly sophisticated spear-phishing campaign has emerged, specifically targeting senior executives across various industries. This campaign, identified by Abnormal AI, utilizes advanced evasion techniques and a new phishing kit named VENOM. Active from November 2025 to March 2026, it primarily aims at corporate Microsoft 365 logins, effectively neutralizing multi-factor authentication (MFA).
Who's Affected
The campaign focuses on high-ranking officials, with 60% of targets holding C-level, president, or chairman titles. Notably, it does not discriminate by industry, impacting organizations across more than 20 sectors. This broad targeting amplifies the potential risks to corporate security.
How It Works
The attack begins with an email that mimics a SharePoint document-sharing notification. The sender's address is cleverly spoofed to resemble an internal email, such as sharepointadmin@[target’s domain]. This email contains a QR code crafted in HTML, avoiding detection by email security systems that scan for malicious images.
Once the victim scans the QR code, they are redirected to a page that verifies their identity through various checks, including user-agent screening and IP reputation checks. If successful, they are led to a fake login page that appears legitimate, complete with the target's organization logo.
Bypassing MFA
The campaign employs two primary methods to circumvent MFA protections:
- Adversary-in-the-Middle (AiTM): This technique intercepts and relays credentials and MFA approvals in real-time. The phishing page presents a realistic Microsoft login interface, capturing sensitive information directly.
- Device Code Abuse: This method exploits Microsoft’s device code authentication flow, tricking victims into submitting a code that grants attackers access to their accounts.
What You Should Do
Organizations can defend against such attacks by:
- Restricting device code authentication flows unless necessary.
- Monitoring MFA device registrations closely.
- Implementing behavior-based email defenses that utilize AI to detect phishing attempts.
In case of an incident, it's crucial to revoke all active sessions and tokens to prevent unauthorized access, especially after password resets. The researchers emphasize the importance of vigilance in monitoring for suspicious activity related to MFA registrations, as these may appear in logs as "SoftwareTokenActivated" events.
Conclusion
As spear-phishing tactics evolve, organizations must enhance their defenses against these sophisticated threats. The emergence of the VENOM phishing kit highlights the need for continuous adaptation in security strategies to protect against high-stakes attacks targeting corporate leadership.