The VENOM phishing campaign is a highly engineered credential-theft operation targeting C-suite executives at major global organizations across more than 20 industry verticals. Discovered and documented by security researchers at Abnormal Security, this previously undocumented phishing-as-a-service kit has been active since November 2025 and represents one of the most technically complete phishing operations security teams have encountered.
Key Takeaways
- VENOM targets directors and C-suite executives at major global organizations with spear-phishing emails disguised as SharePoint notifications
- The campaign uses QR codes embedded in emails to bypass bot detection and redirect victims to fake verification checkpoints
- Stolen credentials are harvested directly, or attackers capture Microsoft device code tokens that remain valid even after password changes
- VENOM operates as a closed-access phishing-as-a-service platform with licensing and activation models, not sold on public marketplaces
- The campaign has been active from November 2025 through March 2026, targeting executives by name with tailored messages
How the VENOM phishing campaign works
The VENOM phishing campaign follows a deliberate, multi-stage attack flow designed to evade detection at every step. Threat actors begin by cherry-picking high-value targets—directors and C-suite executives at global organizations—and send them tailored spear-phishing emails that impersonate SharePoint document-sharing notifications, typically themed around financial reports. The email contains a QR code that victims are prompted to scan, which immediately redirects them to a fake verification checkpoint engineered to filter out bots, automated scanners, sandboxes, and security researchers.
Once a victim passes the checkpoint, they face a choice of two authentication paths, both designed to harvest sensitive data. The first option prompts users to enter their login credentials and a two-factor authentication code, which the attackers capture and relay in real time. The second path exploits Microsoft’s legitimate device code flow, a feature designed for devices without web browsers. By stealing the access and refresh tokens generated through this flow, attackers gain persistent access to accounts even if the victim changes their password afterward. This dual-path approach demonstrates how deliberately each component of the VENOM phishing campaign has been engineered to work together, according to Abnormal Security researchers.
What makes VENOM different from other phishing threats
The VENOM phishing campaign distinguishes itself through its sophistication and operational structure. Unlike earlier credential-theft campaigns, VENOM operates as a full phishing-as-a-service platform with licensing, activation models, and a structured campaign management interface. The platform has not been discovered in public threat intelligence databases, dark-web forums, or open seller marketplaces, suggesting it is distributed exclusively through closed, vetted channels to a limited set of operators.
This contrasts sharply with other phishing operations documented in recent years. For example, the Venom Spider group, which has been active since the late 2010s, primarily targets human resources and recruiting teams with fake job resumes designed to drop malware backdoors. Venom Spider’s focus is on e-commerce and payment systems, not on C-suite executives or SharePoint-themed lures. The VENOM phishing campaign’s emphasis on executive targeting, QR code delivery, and token theft represents a distinct approach tailored to breach high-value accounts and maintain persistent access.
Why executives are at risk right now
C-suite executives face heightened risk from the VENOM phishing campaign because they are individually targeted by name and role, making emails appear legitimate and urgent. Financial reports and document-sharing notifications are routine in executive workflows, lowering suspicion when a SharePoint alert arrives in an inbox. The use of QR codes adds another layer of deception—scanning a code feels safer than clicking a link, yet it bypasses many email security filters designed to detect malicious URLs.
The campaign’s ability to capture and relay two-factor authentication codes in real time is particularly dangerous because it neutralizes one of the most common defenses against credential theft. Even organizations that mandate multi-factor authentication can be compromised if the 2FA code is intercepted during the phishing process. The device code flow attack path is equally concerning because it grants attackers persistent access tokens that remain valid even after a victim changes their password, meaning the breach can continue undetected for weeks or months.
How to protect yourself from the VENOM phishing campaign
Organizations should implement several immediate defenses against the VENOM phishing campaign. First, security teams should educate executives about the specific threat: phishing emails impersonating SharePoint notifications with embedded QR codes. Employees should be taught to verify document-sharing alerts by logging into SharePoint directly rather than following links or scanning codes in emails.
Second, organizations should deploy email security controls that detect and block QR codes in emails, or at minimum flag them for manual review. Third, implement conditional access policies that restrict device code flow sign-ins to trusted locations and devices, limiting the usefulness of stolen device tokens. Finally, monitor for unusual sign-in patterns, especially from new devices or locations, which may indicate a compromised account. If an executive receives a suspicious SharePoint notification email, they should report it to the security team immediately rather than scanning any embedded codes.
Is the VENOM phishing campaign still active?
The VENOM phishing campaign was documented as active from November 2025 through March 2026. Current activity levels beyond March 2026 have not been publicly disclosed by Abnormal Security or other security researchers. Organizations should assume the threat remains active and maintain defensive posture accordingly.
Can multi-factor authentication stop the VENOM phishing campaign?
Standard multi-factor authentication can be bypassed by the VENOM phishing campaign if the attacker captures the 2FA code in real time during the phishing process. However, more advanced MFA methods such as hardware security keys or conditional access policies that restrict sign-ins to known devices may provide stronger protection.
What should I do if I clicked a VENOM phishing link?
If you suspect you have interacted with a VENOM phishing email, immediately change your password and contact your organization’s security team. If you provided a two-factor authentication code, assume your account has been compromised and monitor for unauthorized activity. Your security team should also check for any device tokens that may have been stolen and revoke them if necessary.
The VENOM phishing campaign represents a significant escalation in targeted credential theft against high-value executives. Its technical sophistication, closed-access distribution model, and ability to bypass multi-factor authentication make it a serious threat to organizations worldwide. Executives and their security teams must remain vigilant against SharePoint-themed emails with embedded QR codes and implement robust defenses to prevent token theft and persistent account compromise.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
