Phishing‑as‑a‑Service “VENOM” Harvests Microsoft Logins from C‑Suite Executives
What Happened — Threat actors operating the closed‑access “VENOM” phishing‑as‑a‑service platform have been sending highly‑personalized SharePoint‑style emails to CEOs, CFOs and VPs. The messages embed a Unicode QR code and a double‑Base64‑encoded target address; when scanned, the victim is redirected to a credential‑harvesting page that proxies the Microsoft login flow and captures MFA tokens and session tokens.
Why It Matters for TPRM —
- Compromise of senior‑level accounts can grant attackers unrestricted access to corporate cloud resources and sensitive data.
- The device‑code and adversary‑in‑the‑middle (AiTM) flows bypass traditional password‑reset and MFA defenses, raising the risk to downstream vendors.
- VENOM’s closed‑access, underground nature makes detection and attribution difficult for third‑party risk teams.
Who Is Affected — Enterprises across finance, technology, healthcare, professional services, and other sectors that rely on Microsoft 365 for executive communications.
Recommended Actions — Review executive account protection, enforce FIDO2‑only MFA, disable the Microsoft device‑code flow where unnecessary, and implement stricter conditional‑access policies. Conduct a vendor‑risk assessment of any third‑party services with delegated access to Microsoft APIs.
Technical Notes — Attack vector: spear‑phishing with QR‑code and URL‑fragment obfuscation; no known CVE. Data exfiltrated: Microsoft credentials, MFA codes, session tokens. Source: BleepingComputer