VENOM Phishing Platform Targets C-Suite Microsoft Logins

Cyber Threat Intelligence reports that a new, previously undocumented phishing-as-a-service (PhaaS) platform dubbed “VENOM” is actively targeting the Microsoft credentials of senior executives. This operation, ongoing since at least November, appears to be highly selective, focusing on individuals in C-suite roles like CEOs, CFOs, and VPs. VENOM’s closed-access nature, with no public promotion on forums, suggests a deliberate effort to evade researcher detection.

The attack chain, as detailed by researchers at Abnormal Security, begins with highly personalized phishing emails impersonating Microsoft SharePoint document-sharing notifications. These messages are laced with obfuscation techniques, including random HTML noise, fake CSS classes, and tailored fake email threads to enhance believability. A key element involves a QR code rendered in Unicode, designed to bypass scanning tools and redirect victims to a mobile-based phishing landing page. Abnormal researchers highlight that the target’s email address is double Base64-encoded within the URL fragment, rendering it invisible to server-side logs and reputation feeds as fragments are not sent in HTTP requests.

Upon scanning the QR code, potential victims are directed to a landing page that acts as a sophisticated filter. This filter is designed to identify and block security researchers and sandboxed environments, ensuring only genuine targets are processed. Those deemed outside the threat actor’s interest are redirected to legitimate websites, further masking the malicious activity. This multi-layered approach underscores the sophistication and targeted nature of VENOM’s operations.