A new report from Abnormal AI uncovers a credential theft campaign that has been systematically targeting C-suite executives and senior officers at major global organizations over a five-month period from November 2025 through March 2026.
Dubbed VENOM, the campaign is engineered for invisibility across its delivery and filtering stages. The attackers use email construction techniques designed to defeat both signature-based detection and automated content analysis, and a QR code delivery method that eliminates scannable images and keeps the target’s identity out of server logs entirely.
Underlying the attack is a two mode credential harvesting infrastructure — one that intercepts a live Microsoft authentication flow in real time, and another that leverages Microsoft’s OAuth protocol to capture tokens without ever presenting a credential form. Both are designed to convert a single authentication event into persistent account access, though using different mechanisms and with different resilience to remediation.
VENOM is a phishing-as-a-service (PhaaS) platform featuring a licensing and activation model,
structured token storage, and a full campaign management interface. At the time of analysis,
VENOM doesn’t appear in any public threat intelligence database and hasn’t been identified in
open seller marketplaces or underground forums, suggesting a closed-access platform distributed through vetted channels.
What makes this campaign interesting is that it’s built on an end-to-end pipeline where every stage actively protects the next. The email evades scanners so the QR code reaches the target; the QR code moves the session off-network so the gate goes unmonitored; the gate filters out researchers so the harvester stays unexposed, and the harvester completes its work — including persistence — before the target’s browser has moved on.
It features an adversary-in-the-middle (AiTM) relay to intercept credentials and MFA in real time, and a Device Code flow where the target authenticates directly at microsoft.com and Microsoft delivers tokens straight to the attacker’s backend with no credential form involved.
In AiTM mode, an attacker-controlled authenticator is silently registered on the target’s M365 account before the browser redirects. In Device Code mode, captured OAuth refresh tokens provide ongoing access. Both ensure long-term access to the account.
The report’s authors conclude, “The discovery of VENOM adds a force multiplier dimension. A closed-access PhaaS platform with licensing, campaign management, and structured token storage suggests this capability is not limited to a single operator. Organizations should assume that the techniques documented here will proliferate and that defensive strategies relying on MFA as a final barrier require immediate reassessment.”
You can read more on the Abnormal AI blog.
Image credit: Syda_Productions/depositphotos.com
