{"id":5062,"date":"2026-04-03T22:37:17","date_gmt":"2026-04-03T22:37:17","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/04\/03\/new-phishing-platform-used-in-credential-theft-campaigns-against-c-suite-execs\/"},"modified":"2026-04-03T22:37:17","modified_gmt":"2026-04-03T22:37:17","slug":"new-phishing-platform-used-in-credential-theft-campaigns-against-c-suite-execs","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/04\/03\/new-phishing-platform-used-in-credential-theft-campaigns-against-c-suite-execs\/","title":{"rendered":"New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs"},"content":{"rendered":"
\n
\n

A credential theft campaign that targeted C-suite executives and senior personnel at major global organizations from November 2025 to March 2026 has been uncovered by researchers at Abnormal.<\/p>\n

\u00a0They have detailed a previously undocumented phishing-as-a-service (PhaaS) platform called Venom that served as the campaign\u2019s engine in the infrastructure backend.<\/p>\n

Credential Harvesting Attack Explained<\/strong><\/h2>\n

The Lures: SharePoint Notifications and QR Code<\/strong><\/h3>\n

The campaign involved SharePoint document-sharing notifications sent as lures to a selected list of CEOs, CFOs, chairmen and VP-level executives across over 20 industry verticals.<\/p>\n

The lures leveraged financial report themes to encourage targets to scan a QR code embedded directly in the email body.<\/p>\n

Additionally, the phishing template employs multiple evasion tactics to bypass detection.<\/p>\n

To avoid signature-based scans, each email includes randomized throwaway HTML element altering the structure with every send.<\/p>\n

A fabricated five-message email thread tailored to the target is also automatically inserted into the phishing email. The victim\u2019s email prefix is converted into a display name, used in the “From” fields alongside a generated signature with their real details (name, email, company website and a fake phone number).<\/p>\n

A second, randomly generated persona acts as the correspondent, while message bodies pull from fixed templates (e.g. meeting requests, financial tables) with multilingual text to mimic legitimate corporate communication.<\/p>\n

This combination of noise, personalization, and diversity helps evade spam classifiers.<\/p>\n

Filtering Out Non-Human Traffic to Isolate Targets<\/strong><\/h3>\n

Once scanned the QR code leads to a landing page acting as a fake verification checkpoint, to determine whether the visitor is a real human target or something else, such as a security scanner, a sandbox or an automated tool.<\/p>\n

\u201cVisitors who pass all checks are routed to the credential harvester. Everyone else hits a dead end, with no indication that anything suspicious was encountered,\u201d the Abnormal researchers noted in an April 2 report.<\/p>\n

Multifactor Authentication Rendered Ineffective<\/strong><\/h3>\n

Victims are then faced with one of two credential-harvesting methods.<\/p>\n

In the first, an adversary-in-the-middle (AiTM) setup perfectly mimics the victim\u2019s real login portal, complete with their company branding, pre-filled email and even their organization\u2019s actual identity provider, while silently relaying credentials and multifactor authentication (MFA) codes to Microsoft\u2019s live systems.<\/p>\n<\/p><\/div>\n

\"Adversary-in-the-middle
Adversary-in-the-middle (AiTM) mode credential harvester flow. Source: Abnormal<\/figcaption><\/figure>\n
\n

The second method avoids login forms entirely, instead tricking the victim into approving a device sign-in through Microsoft\u2019s legitimate device code flow, which then hands over access tokens directly to the attacker.<\/p>\n

Once authenticated, the attack ensures persistence without raising suspicion.<\/p>\n<\/p><\/div>\n

\"Device
Device code mode credential harvester flow. Source: Abnormal<\/figcaption><\/figure>\n
\n

In the AiTM mode, the attacker quietly registers a secondary MFA device on the victim\u2019s account, leaving their original authenticator intact and avoiding any visible changes.<\/p>\n

In the device code mode, the stolen refresh token remains valid even after password resets, unless an administrator manually revokes all active sessions. This is a step most organizations don\u2019t take by default, the Abnormal researchers noted.<\/p>\n

The result is an attack that blends into normal authentication flows, evades detection and maintains access long after the initial compromise.<\/p>\n

Venom PhaaS: The Power Engine Behind the Campaign<\/strong><\/h2>\n

The Venom PhaaS powering the campaign features a licensing and activation model, structured token storage and a full campaign management interface.<\/p>\n

At the time of analysis, Venom had not appeared in any public threat intelligence database and has not been identified in open seller marketplaces or underground forums<\/p>\n

According to the researchers, this campaign is \u201cone of the more technically complete phishing operations we’ve documented, [but] less for any single novel technique than for how deliberately each component has been engineered to work together.\u201d<\/p>\n

The operator has built an end-to-end pipeline where every stage actively protects the next and a system that renders MFA ineffective.<\/p>\n

\u201cThe discovery of Venom adds a force multiplier dimension. A closed-access PhaaS platform with licensing, campaign management and structured token storage suggests this capability is not limited to a single operator,\u201d they warned.<\/p>\n

\u201cOrganizations should assume that the techniques documented here will proliferate and that defensive strategies relying on MFA as a final barrier require immediate reassessment.\u201d<\/p>\n

Read now: Global Takedown Neutralizes Tycoon2FA Phishing Service<\/em><\/p>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

A credential theft campaign that targeted C-suite executives and senior personnel at major global organizations from November 2025 to March 2026 has been uncovered by researchers at Abnormal. \u00a0They have detailed a previously undocumented phishing-as-a-service (PhaaS) platform called Venom that served as the campaign\u2019s engine in the infrastructure backend. Credential Harvesting Attack Explained The Lures:<\/p>\n","protected":false},"author":2,"featured_media":5063,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5062","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5062-73fa5866-b847-4882-b1d9-ed4024c540b9.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5062-73fa5866-b847-4882-b1d9-ed4024c540b9-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5062-73fa5866-b847-4882-b1d9-ed4024c540b9.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5062-73fa5866-b847-4882-b1d9-ed4024c540b9.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5062-73fa5866-b847-4882-b1d9-ed4024c540b9.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5062-73fa5866-b847-4882-b1d9-ed4024c540b9.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5062-73fa5866-b847-4882-b1d9-ed4024c540b9.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5062-73fa5866-b847-4882-b1d9-ed4024c540b9.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5062-73fa5866-b847-4882-b1d9-ed4024c540b9.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5062-73fa5866-b847-4882-b1d9-ed4024c540b9.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5062-73fa5866-b847-4882-b1d9-ed4024c540b9-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5062","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=5062"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5062\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/5063"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=5062"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=5062"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=5062"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}