Venom PhaaS Attacks (Phishing as a Service)

-



Venom phishing attacks refer to a newly uncovered, highly sophisticated phishing‑as‑a‑service (PhaaS) platform called VENOM, used in targeted credential‑theft campaigns against senior executives. The platform is notable for its stealth, precision targeting, and advanced MFA‑bypass techniques.

What VENOM Is
VENOM is a closed‑access PhaaS platform—not advertised on underground forums—that enables threat actors to run highly personalized phishing operations. It has been active since at least late 2025 and is used to target C‑suite executives (CEOs, CFOs, VPs, chairpersons) across more than 20 industries.
Its secrecy and selective access make it harder for researchers to track and for defenders to detect.

Who It Targets
VENOM focuses on high‑value corporate leadership, using tailored lures that mimic internal business communications. These attacks are not mass‑mailed; they are hand‑crafted for specific individuals, often using real names, company details, and fabricated email threads.

How the Attack Works (Attack Chain)
1. Highly Personalized Email Lures
Impersonate Microsoft SharePoint document‑sharing notifications.
Include fake email threads, multilingual text, and randomized HTML noise to evade detection.
Contain a Unicode‑rendered QR code that shifts the attack to mobile devices, bypassing desktop email scanners.

2. QR Code → Filtering Landing Page

Scanning the QR code sends the victim to a filtering page that:

  • Detects sandboxes, bots, and security scanners
  • Redirects non‑targets to legitimate sites
  • Sends real human targets to the credential‑harvesting platform

3. Credential Harvesting via Two Methods

A. Adversary‑in‑the‑Middle (AiTM)

  • Proxies the real Microsoft login page
  • Captures credentials, MFA codes, and session tokens in real time
  • Registers a new device on the victim’s account for persistence

B. Device‑Code Phishing

  • Tricks the victim into approving a rogue device
  • Grants long‑lived OAuth tokens that survive password resets
  • Increasingly popular—offered by at least 11 phishing kits

Why VENOM Is Dangerous

VENOM defeats traditional defenses by combining:

  • MFA bypass (AiTM + device‑code flow)
  • Session token theft
  • Real‑time Microsoft authentication relay
  • Highly personalized social engineering
  • Stealth filtering to avoid detection

Researchers emphasize that MFA alone is no longer sufficient against these attacks.

Recommended Defenses

Security researchers and Microsoft recommend:

  • FIDO2 / phishing‑resistant authentication
  • Disable unused device‑code flows
  • Stricter Conditional Access policies
  • Blocking legacy authentication
  • Enhanced QR‑code phishing detection



Popular posts from this blog

WSUS CVE-2025-59287 Mitigation

-
Image
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability affecting Windows Server Update Services (WSUS) . Here's a detailed breakdown of what it is, how it works, and what you should do about it: Overview Disclosed: October 2025 Patch Tuesday CVSS Score: 9.8 (Critical) Affected Systems: Windows Server 2012 through 2025 (including Server Core installations) Exploitability: Microsoft rates it as “Exploitation More Likely” Technical Details The vulnerability arises from unsafe deserialization of untrusted data in WSUS. Specifically, the GetCookie() endpoint in WSUS processes encrypted AuthorizationCookie objects without proper type validation. The deserialization occurs via .NET BinaryFormatter , which is known to be insecure when handling untrusted input. Attackers can send a crafted SOAP request to WSUS over port 8530 , containing a malicious AuthorizationCookie . The cookie is decrypted using a hardcoded AES key and then deserialized, allow...
Read more

Cloud Infrastructures are Having a Bad Week

-
Image
  Today’s disruptions across Microsoft Azure and Amazon Web Services (AWS) were significant, but they’re not signs of cloud computing’s demise. Instead, they underscore the risks of centralization and the importance of designing systems that can withstand provider-level failures. What happened today? • Microsoft Azure outage: Azure’s Front Door service suffered a major disruption due to a misconfiguration, impacting services like Outlook, Xbox, Microsoft 365, and even third-party platforms like Starbucks and Alaska Airlines. The Azure website states a little more than disruption. "Azure Front Door - Connectivity issues - Observing recovery Starting at approximately 16:00 UTC on 29 October 2025, customers and Microsoft services leveraging Azure Front Door (AFD) may have experienced latencies, timeouts, and errors. We have confirmed that an inadvertent configuration change was the trigger event for this issue. Affected Azure services may have included, but were not limited to: App S...
Read more

CVE-2025-58034 Fortinet Warnings and Mitigation

-
Image
Type: OS Command Injection vulnerability (CWE-78) Affected Product: Fortinet FortiWeb (Web Application Firewall) Affected Versions: 8.0.0 – 8.0.1 7.6.0 – 7.6.5 7.4.0 – 7.4.10 7.2.0 – 7.2.11 7.0.0 – 7.0.11 [nvd.nist.gov] , [cvedetails.com] Description The vulnerability is caused by improper neutralization of special elements used in OS commands . An authenticated attacker can exploit this flaw by sending crafted HTTP requests or CLI commands , allowing them to execute arbitrary code on the underlying system. This can compromise the integrity, confidentiality, and availability of the device. [nvd.nist.gov] , [cvedetails.com] Severity CVSS v3.1 Base Score: 7.2 (High) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Impact: High on Confidentiality, Integrity, and Availability [cvedetails.com] Exploitation Status Actively Exploited: Yes. Fortinet confirmed expl...
Read more