This devious VENOM phishing campaign targets business executives by name — so watch what you click on

News
By published

Researchers warn of new VENOM phishing kit

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)
  • VENOM phishing kit targets C-Suite executives by name
  • Emails mimic SharePoint notifications with Unicode QR codes
  • Attackers steal credentials, 2FA codes, and access tokens

If you work as Director or a C-Suite at a major global organization, be on the lookout for a new phishing attack targeting you by name.

Security researchers from Abnormal have warned of a campaign in which the threat actors carefully cherry-pick their targets and then approach them with a highly tailored phishing email, whose goal is to steal login credentials and 2FA codes.

The entire process is built in a previously undocumented phishing kit called VENOM, which has a licensing and activation model, structured token storage, and a full campaign management interface.

Article continues below

Stealing secrets

Abnormal says that it has not yet appeared in any public threat intelligence databases and was not observed being sold on dark-web forums. This means that it is most likely a closed-access platform distributed through vetted channels.

The emails themselves are themed around SharePoint document-sharing notifications. The victims are led to believe they have been given a document, and are invited to scan the provided QR code to access it.

The QR code itself is a work of art, as well. Instead of simply embedding an image (which might get picked up by email security solutions), the threat actors built it entirely from Unicode block characters rendered inside an HTML .

Those that scan the code are first redirected to a fake verification checkpoint, designed to filter out bots, scanners, sandboxes, and security researchers. After passing the checkpoint, the victims are presented with one of two ways of authenticating: either with login credentials and a 2FA code, or through device sign-in using Microsoft’s legitimate device code flow. The former steals passwords and relays 2FA codes, while the latter obtains access tokens.

Defending against these attacks is the same as against any other phishing email - using common sense, skepticism, and a touch of paranoia when reading emails.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.