

























Company executives warned of Microsoft Venom attacks.
getty
As if life in the C-Suite wasn’t stressful enough, it has now been confirmed that chief executive officers, chief financial officers and vice president-level executives have been targeted since November 2025 by a previously undocumented Microsoft SharePoint-exploiting attack platform called Venom. These attacks have not harvested their targets randomly; rather, victims across at least 20 industry verticals have been selected by name. Here’s what you need to know about Venom, which, threat intelligence analysts said, “operates through a rotating pool of compromised business email accounts.”
ForbesAdobe Attacks Underway—Windows And Mac Users Given 72 Hours To Update
It is not unusual, truth be told, for threat actors to target senior executives, including C-suite members, in attacks. I mean, if you can compromise an account belonging to one of the top dogs, you will likely have hit very valuable data pay dirt. Nor, for that matter, is it unusual for phishing to be a primary route to such compromise. Researchers at BlackFog were first to publish a report on the Venom stealer platform. But what makes Venom technically distinct, according to the threat intelligence experts at Abnormal AI who have analyzed it in depth, is everything from “an email engineered to defeat every layer of automated analysis, to a credential harvester that enrolls an attacker-controlled MFA device before the target’s browser has moved on.” This phishing-as-a-service platform, hired out to paying criminal customers, although not appearing to be advertised in any open seller criminal marketplaces or underground forums, impersonates Microsoft SharePoint document-sharing notifications and targets C-Suite members by name. That Venom is, it would seem, a closed-access platform that is only being distributed through highly vetted criminal channels, only serves to make it all the more concerning.
Like most phishing attacks, Venom operators begin with an email. A highly-targeted one, addressing C-Suite victims by name, and delivered by way of a rotating pool of compromised business email accounts. While impersonating a SharePoint document-sharing notification, the email purports to be an internal company alert from the SharePoint environment and includes a QR code for scanning to gain access.
Venom attack QR code.
Abnormal AI
Abnormal AI’s report explained that personalization is one layer of the email’s design, but it also employs others to evade detection. “To evade signature-based detection, every email contains throwaway HTML elements whose values are randomized on each send,” the report confirmed, “ensuring no two emails produce the same hash or string match.” There’s even an entirely fake email message thread included below the visible lure. “The thread is built around the target,” the report continued, “their email prefix is parsed into a display name, placed in the ‘From’ field of each message, and accompanied by a generated signature block containing their name, a fabricated phone number, their real email address, and their real company website.” A randomly-generated persona is the supposed correspondent, while message bodies are created using meeting proposal, business dissolution request or fake financial table templates. Not only is this a way of fooling the recipient into thinking the email is genuine, but it also fools spam classifiers. For all intents and purposes, the email is a perfectly legitimate corporate communication.
The QR code, if the victim is determined not to be a bot or malware detector, leads to a credential harvesting page which can present “their organization's logo, their own email address pre-filled, and if their account is federated, their actual IdP login page rather than a generic Microsoft form,” the analysis warned, adding “The experience is indistinguishable from a genuine sign-in because it is, in every visible respect, genuine.” When in Device Code mode, Abnormal Ai went on to confirm, the victim doesn’t even see a login form at all, but rather something purporting to be a Docusign notification. Copy a code, click through to Microsoft and approve the apparently routine device sign-in request. “That approval is the attack,” the Abnormal AI said, “.Microsoft authenticates the target against its own infrastructure and delivers the resulting access and refresh tokens directly to the attacker's polling backend.’ Which means, ultimately, that there is no credential form to detect, no proxy to identify, and no MFA to intercept. Genius. Evil genius.
ForbesAngry Hacker Drops Microsoft Zero-Day Exploit, 1 Billion Users WarnedBy Davey Winder“Once a cookie session is stolen,” Brian Bell, CEO of FusionAuth, said, “MFA becomes irrelevant. No password, no second factor–just a valid session your system already trusts.” If you’re not enforcing continuous validation, short-lived sessions, device context, and real-time revocation, Bell advised, attackers won’t need to break in as they will already be inside. “Venom makes one thing clear: credential rotation is not a recovery strategy. If the attacker is still on the endpoint, you’re just handing them new keys.” Identity infrastructure can no longer be about recovering from a breach, but rather must be about operating securely during a breach “through short-lived, tightly scoped tokens and continuous validation,” Bell concluded, “without that, organizations are not actually removing the risk.”
Now you know about Venom and the Microsoft SharePoint lure, so make sure to act accordingly if you get one.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。