Other reviews

The VENOM Phishing Kit : How Executives Are Being Targeted

By choiceoasis5@gmail.com
May 15, 2026 16 Min Read
0
The VENOM Phishing Kit: How Executives Are Being Targeted (2026) | GuardedWorker
Protect My Company →
VENOM
Breaking Threat · April 9, 2026 · Discovered by Abnormal AI

VENOM The Phishing Kit Targeting Your CEO — By Name

A never-before-documented phishing platform has been silently targeting CEOs, CFOs, and VPs across 20+ industries since November 2025. It neutralises MFA. It survives password resets. It hasn’t appeared in a single threat database. Abnormal AI found it. GuardedWorker explains it.

April 12, 2026 Source: Abnormal AI Threat Intelligence GuardedWorker Analysis 24 min read
60% Targets hold C-level, President or Chairman title
20+ Industry verticals targeted
5mo Active before discovery (Nov 2025 – Apr 2026)
0 Public threat databases where VENOM appeared
Disclosure: GuardedWorker earns affiliate commissions on qualifying purchases. This article is based on threat intelligence published by Abnormal AI on April 2, 2026 and confirmed by BleepingComputer, SC Media, Infosecurity Magazine, and TechRadar on April 9–10, 2026.

01What Is the VENOM Phishing Kit?

On April 2, 2026, Abnormal AI published a threat intelligence report that sent shockwaves through the cybersecurity community. Researchers had uncovered a previously undocumented phishing-as-a-service (PhaaS) platform — code-named VENOM — that had been operating silently for at least five months, specifically targeting C-suite executives at major global organisations across more than 20 industry verticals.

What makes VENOM remarkable is not any single technique — it’s the complete, end-to-end engineering precision with which every stage of the attack has been built to protect the next. As Abnormal’s researchers described it: “This campaign is one of the more technically complete phishing operations we’ve documented — less for any single novel technique than for how deliberately each component has been engineered to work together.”

VENOM is a phishing-as-a-service platform — meaning it operates like a product, with a licensing and activation model, structured token storage, and a full campaign management interface. Criminal operators don’t need technical expertise to run devastating, personalised attacks against CEOs and CFOs. They pay for access to VENOM, select their targets by name, and VENOM handles the rest — from the initial phishing email through to persistent account access that survives standard remediation.

🚨

Why this is different from other phishing attacks: Traditional phishing sends millions of generic emails hoping someone clicks. VENOM selects specific executives by name, personalises every email with their company branding and email address, and moves the attack to the executive’s personal mobile device to bypass corporate security tools. It’s the difference between a mass text spam and a trained assassin who knows your name, your company, and your daily workflow.

02Who VENOM Is Targeting — The Victim Profile

VENOM’s operators are not fishing randomly. They’re cherry-picking from the top of corporate hierarchies with surgical precision. The data from Abnormal’s analysis is unambiguous about who the platform was built to compromise.

60% Hold C-level, President or Chairman title
20+ Industry verticals under active attack
100% Targeted by name — not random

Specifically targeted roles include: CEOs, CFOs, Chairmen, Vice Presidents, and senior officers across financial services, healthcare, manufacturing, and technology. Geographic focus has been identified on North American and European organisations — with the US, Canada, UK, Germany, and France all confirmed in the attack scope.

Why executives? Because executive accounts carry enormous downstream value. A compromised CEO’s Microsoft 365 account provides access to confidential financial data, strategic plans, M&A discussions, personnel decisions, and communication with the board. From a single executive compromise, VENOM operators can execute business email compromise (BEC) fraud, sell credentials on dark web markets, or establish persistent espionage access that goes undetected for months. The average BEC attack costs organisations $680,000 per incident according to IBM’s data.

🎯

The intelligence-gathering phase: VENOM operators research their targets extensively before sending a single email — scraping LinkedIn profiles, company websites, press releases, and earnings calls to build a dossier on each executive. This is why the phishing emails are so convincing: they include references to real business activities, real colleagues’ names, and the exact format of internal company communications. This is not a generic template — it’s a bespoke attack crafted for each individual.

03The VENOM Attack Chain — Stage by Stage

Abnormal AI documented the complete attack pipeline. Here is exactly how VENOM turns a phishing email into persistent account access that survives MFA and password resets.

⚠ VENOM Attack Chain — Documented by Abnormal AI, April 2026
1
Target Selection & Intelligence Gathering
Operators use LinkedIn, company websites, earnings calls, and public filings to identify and profile specific C-suite executives. Each target is selected by name and title — no spray-and-pray. VENOM’s campaign management interface allows operators to maintain lists of high-value targets across companies.
OSINT + Social Engineering Research
2
Personalised SharePoint Phishing Email
A highly personalised email arrives appearing to come from the target’s own domain (sharepointadmin@[target-company].com — spoofed). The email impersonates an internal SharePoint document-sharing notification with a financial report theme. The attacker injects fake email threads tailored to the target, making it appear as part of an ongoing internal conversation. Random HTML noise (fake CSS classes, comments, unicode variations) is injected into every email to defeat signature-based scanning — making each email technically unique.
Spear Phishing · Sender Spoofing · HTML Obfuscation
3
QR Code — Moving the Attack to Mobile
Instead of a link (which corporate email filters aggressively inspect), VENOM embeds a QR code constructed entirely in HTML text characters — no image file to scan. When the executive scans the QR code with their phone, the attack moves to their personal mobile device, which lacks the endpoint protection and corporate security controls of their managed laptop. The target’s email address is double Base64-encoded in the URL fragment — the portion after the # character that is never transmitted in HTTP requests, making the email invisible to server logs and URL reputation feeds.
QR Code Phishing (Quishing) · URL Fragment Obfuscation
4
The Gate — Filtering Out Researchers
The QR code leads to a landing page that acts as a security filter — indistinguishable from legitimate bot-challenge pages (like Cloudflare’s “checking your browser”). Its sole function is to determine whether the visitor is a real human executive or a security researcher, sandbox, automated tool, or bot. Anyone who fails the gate’s checks is redirected to a legitimate website with no indication anything suspicious occurred. Only real targets pass through. This is how VENOM remained undiscovered for five months — security researchers testing the URLs hit dead ends and moved on.
Anti-Analysis Filtering · Research Evasion
5
Credential Harvesting — Two Methods
Method A — Adversary-in-the-Middle (AiTM): VENOM serves a pixel-perfect replica of the target’s actual Microsoft login page, complete with their company’s logo, their pre-filled email address, and their organisation’s specific identity provider interface. When the executive enters their credentials and MFA code, VENOM relays them in real time to Microsoft’s actual authentication APIs — completing the login for the attacker while capturing the session token. The login succeeds normally from the victim’s perspective. Method B — Device Code Phishing: The victim is tricked into approving access to a rogue device through Microsoft’s device code authentication flow, giving the attacker persistent OAuth token access. A forced password reset does not revoke a refresh token already captured through this method.
AiTM Credential Proxy · Device Code Abuse · MFA Neutralisation
6
Persistence — Surviving Remediation
After credential capture, VENOM immediately registers a new MFA device on the victim’s account. Even if the password is reset, the attacker’s device registration remains valid — and the attacker’s access persists. A forced password reset does not revoke a refresh token. Unless the victim’s administrator explicitly revokes all active sessions and token grants in Microsoft Entra ID — a step not included in most organisations’ default incident response runbooks — the attacker’s access survives standard remediation entirely.
MFA Device Registration · Token Persistence · OAuth Abuse

04What Makes VENOM Technically Different

VENOM isn’t just another phishing kit. It represents a step-change in how PhaaS platforms are engineered. Here are the six technical characteristics that make it exceptional — and why your existing defences may be insufficient.

🕵️
Zero Public Footprint
VENOM operated for five months without appearing in a single public threat intelligence database, dark web forum, or underground marketplace. It’s distributed through a closed-access, invitation-based system. This means detection tools relying on known-bad indicators were completely blind to it.
Never in threat DBs
📱
QR Code Moves Attack Off-Network
By using a QR code instead of a link, the attack migrates from the executive’s managed corporate device (with endpoint protection and email security) to their personal phone, which typically has none of these controls. Corporate security tools that monitor network traffic and email links see nothing suspicious.
Bypasses corporate MDM
🎭
AiTM Neutralises MFA Entirely
Standard phishing steals passwords — which MFA blocks. VENOM’s AiTM method captures the authenticated session token after MFA is completed. The victim correctly approves the MFA push notification — unaware that the approval is being relayed to the attacker simultaneously. MFA is defeated not broken.
MFA is not enough
🔬
Researcher-Proof Gate
The gate that filters security researchers from real targets is the key to VENOM’s longevity. Traditional phishing kits get discovered because researchers can access the phishing pages directly. VENOM’s gate ensures researchers only ever see a dead end, while real executives are routed through. Five months of operation proves this worked.
Research evasion
🔐
Persistence Survives Password Reset
Most organisations’ incident response to a phishing compromise involves forcing a password reset. VENOM’s persistence mechanisms — MFA device registration and refresh token capture — survive this. Unless every active session and all token grants are explicitly revoked in Entra ID, the attacker retains access after the “fix.”
Survives standard IR
📦
Full PhaaS Platform
VENOM isn’t a script — it’s a platform with a licensing model, campaign management interface, structured token storage, and preserved raw OAuth server responses enabling potential re-derivation of expired tokens. Someone with no technical skills can run sophisticated executive-targeted campaigns by purchasing access.
Criminal SaaS model

0512 Steps to Defend Against VENOM — For Executives & Security Teams

Abnormal AI’s researchers provided specific defensive recommendations. GuardedWorker has expanded these into a complete action plan for both individuals and security teams.

  1. 01
    Upgrade from MFA to FIDO2 / Hardware Security Keys
    Abnormal AI’s primary recommendation: standard TOTP and push-notification MFA is neutralised by VENOM’s AiTM method. FIDO2 hardware security keys (like YubiKey) bind authentication to the specific device and domain — meaning a relay attack cannot succeed because the cryptographic challenge is site-specific. FIDO2 is the only MFA type that genuinely defeats AiTM phishing.
  2. 02
    Disable Device Code Authentication Flow When Not Required
    VENOM’s second attack method exploits Microsoft’s device code authentication flow. If your organisation doesn’t actively need this (most don’t), disable it via Conditional Access policies in Microsoft Entra ID. This eliminates one of the two credential harvesting methods entirely.
  3. 03
    Implement AI-Powered Email Security
    Traditional email filters rely on known-bad signatures and URL reputation feeds. VENOM was specifically engineered to defeat these. Behaviour-based AI email security that analyses anomalous communication patterns, sender behaviour, and email content contextually is required to catch attacks like VENOM before they reach inboxes. See our agentic AI threats guide →
  4. 04
    Deploy Comprehensive Antivirus with AI Behaviour Detection
    Signature-based antivirus is insufficient. AI-powered antivirus with behavioural detection catches suspicious processes and access patterns — including the OAuth token abuse and session persistence VENOM establishes after initial compromise. Norton 360 and Bitdefender both provide this capability. See our best antivirus guide →
  5. 05
    Immediately Revoke ALL Active Sessions After Any Suspected Compromise
    A password reset alone does not stop VENOM. If a compromise is suspected, administrators must explicitly revoke all active sessions and token grants in Microsoft Entra ID — not just force a password reset. This step must be part of every organisation’s incident response runbook, but currently is not for most organisations.
  6. 06
    Audit MFA Device Registrations Regularly
    VENOM registers a new MFA device after compromise as a persistence mechanism. Regular audits of all registered MFA devices across executive accounts should catch anomalous registrations. Any unexpected device registration should trigger immediate investigation and session revocation.
  7. 07
    Use a VPN to Protect Credential Traffic and Reduce OSINT Exposure
    VENOM operators use OSINT to build target profiles from public IP addresses, ISP data, and browsing patterns. A VPN with AI threat protection (NordVPN + CrowdStrike) also blocks connections to known malicious infrastructure. For executives specifically, NordVPN’s always-on Threat Protection Pro provides continuous protection. NordVPN Review 2026 →
  8. 08
    Never Scan Unknown QR Codes in Emails
    VENOM specifically uses QR codes to move the attack from a protected corporate device to an unprotected personal phone. Establish a company policy that executive leadership never scan QR codes in emails without first verbally confirming the request with the apparent sender via a known phone number or in-person. This breaks VENOM’s entire attack chain at step three.
  9. 09
    Enforce Stricter Conditional Access Policies
    Conditional Access policies in Microsoft Entra ID can be configured to require compliant, managed devices for access; block logins from unexpected locations or device types; require additional verification for administrative actions; and flag anomalous OAuth token usage. These policies significantly raise the cost of VENOM’s post-compromise persistence mechanisms.
  10. 10
    Use a Password Manager with Breach Monitoring
    Even though VENOM captures credentials through AiTM rather than traditional password theft, breach monitoring alerts you when executive credentials appear in dark web trading (where VENOM operators sell captured tokens). 1Password’s Watchtower provides this monitoring. Best Password Managers 2026 →
  11. 11
    Reduce Executive Public Voice & Profile Exposure
    VENOM operators harvest audio and personal details from LinkedIn, earnings calls, conference talks, and social media to personalise attacks. Limit the amount of personal operational information executives share publicly. For voice cloning specifically — a related threat — see our AI voice cloning deepfake guide →
  12. 12
    Establish a “Verbal Verification” Protocol for Urgent Requests
    Any request involving financial transfers, credential changes, or access grants that arrives via email — regardless of how legitimate it appears — should require a separate verbal confirmation via a known phone number. This is the single most reliable human process that breaks phishing attacks at every sophistication level.
💡

The complete executive protection stack for 2026: FIDO2 hardware security key + NordVPN (AI VPN with CrowdStrike threat intel) + Norton 360 (SONAR AI detection + dark web monitoring) + 1Password (breach-monitored credential vault) + strict Conditional Access policies. This stack addresses every stage of the VENOM attack chain. Total cost: under $100/year for an individual executive.

06Security Tools That Defend Against VENOM

These are the specific products that address the VENOM attack chain — at the email layer, credential layer, network layer, and device layer.

🛡️
Norton 360 Deluxe
Best all-in-one — SONAR AI + dark web monitoring + unlimited VPN
⭐ Top Pick AI Behaviour Detection Dark Web Monitor
VENOM’s post-compromise persistence — OAuth token abuse, MFA device registration — manifests as anomalous access behaviour that AI-powered detection catches. Norton’s SONAR engine monitors behavioural patterns and flags suspicious access even when credentials are technically valid. Dark web monitoring alerts executives when their credentials surface in criminal markets where VENOM operators sell harvested tokens. 100% detection rate in AV-Test. See our comparison: Bitdefender vs Norton 2026.
Detection Rate
100% AV-Test
Dark Web Mon.
✓ Identity alerts
VPN
✓ Unlimited
SONAR AI
✓ Behaviour
Devices
Up to 5
Money-Back
60 days
From $39.99/year — 60-day money-back
🌐
NordVPN + CrowdStrike
Best AI VPN — blocks malicious URLs and protects credential traffic in transit
CrowdStrike Intel 94% Phishing Block
VENOM operators use OSINT to profile targets — your real IP address contributes to the intelligence they gather. NordVPN’s Threat Protection Pro, now powered by CrowdStrike’s Counter Adversary Operations, also blocks connections to malicious infrastructure associated with known threat actors. It achieved a 94% phishing block rate in independent testing. See our NordVPN Review 2026 and full AI VPN comparison.
Threat Intel
CrowdStrike
Block Rate
94% phishing
Always-On
✓ Off-VPN too
Servers
6,400+ / 111c
Devices
10
Money-Back
30 days
From $3.09/month — 30-day money-back
🔑
1Password
Watchtower AI breach monitoring — alerts when credentials appear on dark web
Watchtower AI Zero-Knowledge
VENOM operators sell captured executive credentials and session tokens on dark web marketplaces. 1Password’s Watchtower monitors dark web markets for credentials matching your vault and alerts you immediately when action is needed. Zero-knowledge architecture means only you can access your data. See our full comparison: Best Password Managers 2026 and 1Password vs Dashlane.
From $2.99/month — 14-day free trial
🔐
Bitdefender Total Security
Cloud AI engine + ransomware Time Machine — catches post-VENOM payloads
Cloud AI 99.8% Detection
After VENOM establishes persistent access through an executive’s Microsoft 365 account, follow-up attacks often deploy ransomware against the broader organisation. Bitdefender’s multi-layer ransomware protection and Time Machine backup coverage specifically address this downstream threat. Cloud-based AI analysis means zero performance overhead. See: Bitdefender vs Norton comparison.
From $29.99/year — 30-day money-back
Get Bitdefender →
GuardedWorker Threat Assessment · April 2026

VENOM Is Live. Your Executives Are Targets. Standard MFA Is Not Enough.

VENOM represents the current state of the art in executive-targeted phishing. It operated for five months without appearing in a single public threat database. It neutralises standard MFA. It survives password resets. It moves the attack to personal mobile devices that bypass corporate security. And it’s been built as a platform — meaning it will be copied, adapted, and sold to other operators as its techniques become industry standard. The specific defensive actions Abnormal AI recommends: Upgrade from TOTP/push MFA to FIDO2 hardware keys. Disable device code authentication flows when not needed. Implement AI-powered email security that analyses behaviour rather than signatures. Audit MFA device registrations regularly. And include full session and token revocation in your incident response runbook — not just a password reset. These are not expensive or technically complex steps. They are the difference between a five-month silent compromise and an attack that gets stopped cold.

07Frequently Asked Questions

What is the VENOM phishing kit?
VENOM is a phishing-as-a-service (PhaaS) platform discovered by Abnormal AI in April 2026. It specifically targets C-suite executives (CEOs, CFOs, VPs) by name across 20+ industries. It uses personalised SharePoint-themed emails with QR codes, adversary-in-the-middle (AiTM) credential harvesting that neutralises MFA, and persistence mechanisms that survive password resets. At the time of discovery it had not appeared in any public threat intelligence database.
How does VENOM bypass MFA (multi-factor authentication)?
VENOM uses two methods. The primary method is Adversary-in-the-Middle (AiTM) — rather than stealing a password for later use, VENOM proxies the entire Microsoft login session in real time. The victim enters their credentials and correctly approves their MFA push notification — but VENOM captures the authenticated session token before the victim’s browser receives it. The MFA was completed correctly; the attacker got the token. The second method exploits Microsoft’s device code authentication flow to obtain persistent OAuth token access without even needing a password.
Why doesn’t a password reset stop VENOM?
Because VENOM establishes persistence through mechanisms that a password reset doesn’t revoke. After initial compromise, VENOM registers a new MFA device on the victim’s account. It also captures refresh tokens through device code abuse. A forced password reset only changes the password — it doesn’t revoke existing session tokens or remove newly registered MFA devices. Unless an administrator explicitly revokes all active sessions and token grants in Microsoft Entra ID, the attacker retains access after the password reset. Most organisations’ incident response runbooks don’t include this step.
Why does VENOM use QR codes instead of links?
QR codes achieve two things that hyperlinks don’t. First, they move the attack from the executive’s managed corporate laptop (which has endpoint protection, email security, and network monitoring) to their personal phone (which typically has none of these). Second, corporate email security gateways extensively inspect URLs but generally cannot evaluate QR code content. The QR code is also constructed entirely from HTML text characters rather than an image file, defeating image-based scanning.
Is standard MFA no longer safe?
Standard push notification MFA and TOTP codes are no longer sufficient against AiTM phishing attacks. VENOM can defeat them because they require relaying credentials in real time — and with AiTM, the relay happens so quickly the victim doesn’t notice anything is wrong. FIDO2 hardware security keys are the only MFA type that genuinely defeats AiTM, because the cryptographic challenge is domain-specific — a relay attack cannot work. This is Abnormal AI’s primary defensive recommendation.
How can I tell if our company has already been compromised by VENOM?
Signs include: unexpected new MFA device registrations on executive accounts, login activity from unexpected geographic locations or device types, unusual OAuth application access grants, email forwarding rules that weren’t manually created, and anomalous access patterns in Microsoft 365 audit logs. Because VENOM was active for five months before detection, assume any C-suite Microsoft 365 account that received SharePoint-themed emails in late 2025 should be audited. Review all active sessions and token grants in Microsoft Entra ID immediately.

Tags:

Author

choiceoasis5@gmail.com

Follow Me
Other Articles
No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *