RESEARCHERS at Abnormal uncovered a credential theft campaign that targeted C-suite executives and senior personnel at global organisations from November 2025 to March 2026, using a previously undocumented phishing-as-a-service platform called Venom as the campaign’s engine. According to Abnormal, Venom PhaaS features a licensing and activation model, structured token storage and a full campaign management interface, and represents a closed-access platform designed to render MFA ineffective.
The campaign’s lures included SharePoint document-sharing notifications aimed at CEOs, CFOs, chairmen and VP-level executives across more than 20 industry verticals, with targets invited to scan a QR code embedded in the email and greeted by a fabricated, multi‑persona email thread to evade detectors. Their landing page then filtered visitors to ascertain whether they were real human targets or automated tools, before directing valid victims to a credential harvester that could capture credentials and MFA codes.
Abnormal noted that this operation was technically complete not for a single novel technique, but for the cohesive integration of its components, and warned organisations to reassess MFA as a final barrier. according to Abnormal.