A credential theft campaign that targeted C-suite executives and senior personnel at major global organizations from November 2025 to March 2026 has been uncovered by researchers at Abnormal.
They have detailed a previously undocumented phishing-as-a-service (PhaaS) platform called Venom that served as the campaign’s engine in the infrastructure backend.
Credential Harvesting Attack Explained
The Lures: SharePoint Notifications and QR Code
The campaign involved SharePoint document-sharing notifications sent as lures to a selected list of CEOs, CFOs, chairmen and VP-level executives across over 20 industry verticals.
The lures leveraged financial report themes to encourage targets to scan a QR code embedded directly in the email body.
Additionally, the phishing template employs multiple evasion tactics to bypass detection.
To avoid signature-based scans, each email includes randomized throwaway HTML element altering the structure with every send.
A fabricated five-message email thread tailored to the target is also automatically inserted into the phishing email. The victim’s email prefix is converted into a display name, used in the “From” fields alongside a generated signature with their real details (name, email, company website and a fake phone number).
A second, randomly generated persona acts as the correspondent, while message bodies pull from fixed templates (e.g. meeting requests, financial tables) with multilingual text to mimic legitimate corporate communication.
This combination of noise, personalization, and diversity helps evade spam classifiers.
Filtering Out Non-Human Traffic to Isolate Targets
Once scanned the QR code leads to a landing page acting as a fake verification checkpoint, to determine whether the visitor is a real human target or something else, such as a security scanner, a sandbox or an automated tool.
“Visitors who pass all checks are routed to the credential harvester. Everyone else hits a dead end, with no indication that anything suspicious was encountered,” the Abnormal researchers noted in an April 2 report.
Multifactor Authentication Rendered Ineffective
Victims are then faced with one of two credential-harvesting methods.
In the first, an adversary-in-the-middle (AiTM) setup perfectly mimics the victim’s real login portal, complete with their company branding, pre-filled email and even their organization’s actual identity provider, while silently relaying credentials and multifactor authentication (MFA) codes to Microsoft’s live systems.
The second method avoids login forms entirely, instead tricking the victim into approving a device sign-in through Microsoft’s legitimate device code flow, which then hands over access tokens directly to the attacker.
Once authenticated, the attack ensures persistence without raising suspicion.
In the AiTM mode, the attacker quietly registers a secondary MFA device on the victim’s account, leaving their original authenticator intact and avoiding any visible changes.
In the device code mode, the stolen refresh token remains valid even after password resets, unless an administrator manually revokes all active sessions. This is a step most organizations don’t take by default, the Abnormal researchers noted.
The result is an attack that blends into normal authentication flows, evades detection and maintains access long after the initial compromise.
Venom PhaaS: The Power Engine Behind the Campaign
The Venom PhaaS powering the campaign features a licensing and activation model, structured token storage and a full campaign management interface.
At the time of analysis, Venom had not appeared in any public threat intelligence database and has not been identified in open seller marketplaces or underground forums
According to the researchers, this campaign is “one of the more technically complete phishing operations we’ve documented, [but] less for any single novel technique than for how deliberately each component has been engineered to work together.”
The operator has built an end-to-end pipeline where every stage actively protects the next and a system that renders MFA ineffective.
“The discovery of Venom adds a force multiplier dimension. A closed-access PhaaS platform with licensing, campaign management and structured token storage suggests this capability is not limited to a single operator,” they warned.
“Organizations should assume that the techniques documented here will proliferate and that defensive strategies relying on MFA as a final barrier require immediate reassessment.”
Read now: Global Takedown Neutralizes Tycoon2FA Phishing Service
