Venom PhaaS platform used in campaign targeting C-suite executives

A previously undocumented phishing-as-a-service platform called Venom powered a targeted campaign against CEOs, CFOs, and other senior executives at major organizations across more than 20 industry sectors from November 2025 through March 2026.

What happened

Researchers uncovered a sustained credential theft campaign that used SharePoint document-sharing notifications as lures to target C-suite and VP-level executives. According to Infosecurity Magazine, the campaign was powered by Venom, a phishing-as-a-service platform that had not appeared in any prior threat intelligence database at the time of analysis and was not found for sale in open underground forums. The lures used financial report themes to encourage targets to scan a QR code embedded in the email body. Each email was engineered to defeat detection, using randomized HTML elements to alter structure with every send, and a fabricated five-message email thread tailored to the target's personal details, including their name, email prefix, company website, and a generated phone number. Once a target scanned the QR code, they were routed to a fake verification checkpoint that distinguished human visitors from security scanners and automated tools, sending only confirmed human targets through to the credential-harvesting stage.

Going deeper

Venom offered attackers two credential-harvesting methods depending on their objectives. The first used an adversary-in-the-middle (AiTM) setup that silently mimicked the victim's real login portal with their organization's actual branding and identity provider, relaying credentials and multi-factor authentication (MFA) codes to Microsoft's live systems in real time. After authentication, the attacker quietly registered a secondary MFA device on the victim's account, leaving the original authenticator intact and leaving no visible changes for the victim to detect. The second method avoided login forms entirely and instead prompted victims to complete a device sign-in using Microsoft's legitimate device code flow, handing access tokens directly to the attacker. In this mode, the stolen refresh token remained valid even after a password reset unless an administrator explicitly revoked all active sessions, a step researchers noted most organizations do not take by default. The combined effect of both methods was persistent, undetected access that survived standard incident response procedures.

What was said

The researchers described the campaign as "one of the more technically complete phishing operations we've documented, less for any single novel technique than for how deliberately each component has been engineered to work together." They warned that "the discovery of Venom adds a force multiplier dimension. A closed-access PhaaS platform with licensing, campaign management, and structured token storage suggests this capability is not limited to a single operator." The researchers added that "organizations should assume that the techniques documented here will proliferate and that defensive strategies relying on MFA as a final barrier require immediate reassessment." The report was published on April 2, 2026.

In the know

Venom is one of at least 11 documented PhaaS kits now offering device code phishing capabilities alongside AiTM attacks. According to BleepingComputer, device code phishing page detections surged 37.5 times over the course of early 2026, with Venom specifically identified as a closed-source platform offering both device code and AiTM capabilities to licensed operators. The same reporting found at least 11 competing kits in operation, all using realistic software-as-a-service themed lures, anti-bot protections, and cloud platform hosting to avoid detection. The rapid proliferation of these platforms means attack techniques once requiring great technical skill are now accessible to operators with no specialized knowledge, distributed through licensing and support infrastructure that mirrors legitimate software businesses.

The big picture

The Venom campaign targets the exact high-value access points that healthcare organizations depend on for operations: executive email accounts that authorize financial transactions, sign contracts, communicate with vendors, and direct staff. According to Paubox's Top 3 Healthcare Email Attacks report, impersonation attacks succeed because email treats identity as trustworthy by default, and healthcare workflows amplify that risk because urgent requests from executives and vendors are routine. The report also notes that a lack of protection for high-risk identities like executives is among the most common defense failures observed in 2025 healthcare breaches. When a CEO or CFO's account is compromised through an AiTM attack, and the attacker registers a secondary MFA device, the organization's security team has no visible alert to act on, and the compromised account continues functioning normally while an attacker monitors it.

FAQs

What is an adversary-in-the-middle attack, and how does it differ from standard phishing?

Standard phishing directs victims to a fake login page that captures typed credentials. An AiTM attack goes further by acting as a live relay between the victim and the real service, capturing both credentials and the MFA code or session token in real time, which gives the attacker an active authenticated session rather than just a stolen password.

Why does registering a secondary MFA device give attackers persistent access?

When an attacker registers a new authenticator on a compromised account, they can generate valid MFA codes independently of the victim. Unless an administrator audits and removes all registered MFA devices, the attacker retains access even after the victim changes their password.

What makes Venom different from other PhaaS platforms already documented?

Venom was not listed in any threat intelligence database and was not sold publicly at the time of discovery, indicating a closed or invite-only distribution model. It supports both AiTM and device code phishing from the same platform, with structured token storage and campaign management built in, making it a more complete operation than most documented kits.

What should organizations do when an executive account is compromised via AiTM?

Beyond password resets, organizations must revoke all active session tokens, remove any newly registered MFA devices from the account, audit inbox rules for attacker-created forwarding or deletion rules, and check whether the compromised account was used to send phishing messages internally or externally before access was detected.

Why do QR codes make phishing harder to detect?

Security tools scan email content including links and attachments, however QR codes are images and do not contain a scannable URL in text form. The malicious destination only becomes active when a human scans the code with a mobile device, which typically sits outside the organization's email security perimeter.