VENOM: C-Suite Credential Theft Campaign Bypassing MFA
A five-phase campaign targeting executives across 20+ industries uses adversary-in-the-middle techniques to hijack sessions, rendering MFA ineffective.
This analysis is based on a documented campaign active for over five months in 2025-2026. 60% of targeted recipients hold C-level, President, or Chairman titles. MFA alone does not stop this attack.
Campaign Overview
A new credential theft campaign — tracked as VENOM — has been targeting senior executives across more than 20 industries. Unlike traditional phishing, this attack doesn't just steal passwords. It operates within fully authenticated Microsoft 365 sessions, making multi-factor authentication irrelevant once the attack succeeds.
The campaign is highly personalized: targets are selected by name and title, email lures are branded with the victim's own organization, and the entire attack chain is designed to bypass both technical controls and human suspicion.
The Five-Phase Attack Chain
Delivery — Branded SharePoint Notifications
Targets receive what appears to be a legitimate SharePoint notification, dynamically personalized with internal organizational branding. The email contains a QR code constructed entirely from Unicode characters — a technique that evades image-based email scanners. The lure mimics platforms executives interact with daily: SharePoint, DocuSign, or courier services.
Device Shift — Moving to Personal Mobile
When the target scans the QR code, the attack shifts to their personal phone — completely bypassing corporate proxies, endpoint detection, and network monitoring. The target's email address is double Base64-encoded in the URL fragment (after the #), making it invisible to proxy logs and URL inspection tools.
Bot Filtering — Fake Security Challenge
Before reaching the phishing page, visitors pass through a fake Cloudflare or Microsoft Defender verification. This gate uses User-Agent analysis, IP reputation checks, and proof-of-work challenges to filter out security crawlers and sandboxes. Automated tools are redirected to legitimate Microsoft pages.
Credential Harvesting — Real-Time Session Hijacking
The victim encounters a pixel-perfect replica of their organization's Microsoft sign-in page — complete with corporate logos and their pre-filled email address. Behind the scenes, an adversary-in-the-middle proxy relays credentials to Microsoft's API in real time, capturing session tokens and refresh tokens. An alternative Device Code flow has the victim authenticate directly on microsoft.com while tokens are silently delivered to the attacker.
Persistence — Rogue MFA Device Registration
Before the browser redirects the victim to a benign error page, the attacker registers a new MFA device under their control. This appears in Entra ID logs as a "SoftwareTokenActivated" event with the display name "NO_DEVICE." From this point, the attacker has persistent access that survives password resets — only full session and token revocation in Entra ID will lock them out.
Why Social Engineering Makes This Work
Technical sophistication is only half the story. The campaign succeeds because it exploits deeply ingrained behavioral patterns in executive workflows:
- Authority & routine — the impersonated platforms match daily executive workflows, triggering habitual responses without critical evaluation
- Personalization — sender domains are derived from targets' own organizations, with company names in email footers, creating the appearance of internal communication
- Verification normalization — fake security challenges mimic familiar web interactions, making the phishing flow feel legitimate
- Visual authenticity — the credential page is a live mirror of the target's actual identity provider, visually indistinguishable from the real login
- Device code subtlety — in this variant, the target performs a legitimate action on microsoft.com itself; the compromise occurs entirely in where the resulting tokens are delivered
Defense Recommendations
Standard awareness training and MFA policies are insufficient against this class of attack. Organizations should prioritize:
- Executive-specific phishing simulations — generic training doesn't address the personalized spear-phishing, vishing, and multi-vector attacks targeting C-suite roles
- QR code phishing testing — simulate QR-based attacks before real adversaries deploy them; most organizations have zero coverage here
- Microsoft 365 hardening — restrict Device Code authentication via Conditional Access, monitor Entra ID audit logs for suspicious "SoftwareTokenActivated" events, and ensure incident response includes explicit session and token revocation
- Threat monitoring — track typosquatted domains and executive data exposure on the dark web to reduce the effectiveness of personalized lures
- Multi-vector red team exercises — layer phishing, QR codes, vishing, and BEC testing to validate defenses across the full attack surface
KEY TAKEAWAYS
- 1MFA alone is no longer sufficient — attackers operate inside fully authenticated sessions, making traditional multi-factor authentication irrelevant
- 260% of targets hold C-level titles — this is a precision campaign targeting executives by name, title, and organization
- 3Attacks shift to personal mobile devices — QR codes move the attack chain off corporate networks, bypassing endpoint detection and proxy monitoring entirely
- 4Password resets won't save you — attackers register rogue MFA devices for persistent access that survives credential changes
Key Takeaway
The VENOM campaign demonstrates that MFA is a necessary but no longer sufficient control for protecting executive accounts. When attackers operate within authenticated sessions and register persistent access mechanisms, the only effective response is a combination of hardened identity infrastructure, targeted human training, and proactive threat intelligence.
The attack doesn't bypass MFA — it makes MFA irrelevant by operating inside the authenticated session itself. Defending against this requires rethinking what "secure authentication" actually means in 2026.
Protect your executives from attacks like VENOM
Arsen provides AI-powered phishing simulations, QR code attack testing, and executive-specific training — exactly the defenses recommended against this campaign.