- VENOM phishing kit specifically targets C-Suite executives
- Emails mimic SharePoint notifications with Unicode QR codes
- Attackers steal credentials, 2FA codes and access tokens
If you work as a director or senior manager in a large global organization, be on the lookout for a new phishing attack targeting you by name.
Security researchers at Abnormal have warned of a campaign in which threat actors carefully select their targets and then approach them with a highly personalized phishing email, the aim of which is to steal login credentials and 2FA codes.
The entire process is integrated into a previously undocumented phishing kit called VENOM, which has a licensing and activation model, structured token storage, and a comprehensive campaign management interface.
Article continues below
Stealing secrets
Abnormal claims that it has not yet appeared in any public threat intelligence database and has not been observed being sold on dark web forums. This means that it is most likely a closed access platform distributed through approved channels.
The emails themselves are themed around SharePoint document sharing notifications. Victims are led to believe that they have been given a document and are asked to scan the QR code provided to access it.
The QR code itself is also a work of art. Instead of simply embedding an image (which could be picked up by email security solutions), the threat actors constructed it entirely from Unicode block characters rendered in an HTML file.
Those who scan the code are first redirected to a fake verification checkpoint, designed to filter out bots, scanners, sandboxes and security researchers. After passing the checkpoint, victims are offered one of two ways to authenticate: either with login credentials and a 2FA code, or through signing into the device using Microsoft’s legitimate device code flow. The former steals passwords and relays 2FA codes, while the latter obtains access tokens.
Defending yourself against these attacks is the same as against any other phishing email: using common sense, skepticism, and a touch of paranoia when reading emails.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.