- VENOM phishing kit targets C-Suite executives by name
- Emails mimic SharePoint messages with Unicode QR codes
- Attackers steal credentials, 2FA codes and access tokens
If you work as an executive or C-Suite in a major global organization, be on the lookout for a new phishing attack targeting you by name.
Security researchers at Abnormal have warned of a campaign where threat actors carefully select their targets and then approach them with a highly tailored phishing email aimed at stealing login credentials and 2FA codes.
The entire process is built into a previously undocumented phishing kit called VENOM, which has a license and activation model, structured token storage, and a full campaign management interface.
The article continues below
Steal secrets
Abnormal says it has not yet appeared in any public threat intelligence databases and has not been observed being sold on dark-web forums. This means that it is most likely a closed access platform that is distributed through controlled channels.
The emails themselves are themed around SharePoint document sharing messages. Victims are tricked into thinking they have been given a document and are encouraged to scan the accompanying QR code to access it.
The QR code itself is also a work of art. Instead of simply embedding an image (which can be picked up by email security solutions), the threat actors built it entirely from Unicode block characters rendered in an HTML .
Those who scan the code are first redirected to a fake verification checkpoint designed to filter out bots, scanners, sandboxes and security researchers. After passing the checkpoint, victims are presented with one of two ways to authenticate: either with login credentials and a 2FA code, or through device logon using Microsoft’s legitimate device code flow. The former steals passwords and forwards 2FA codes, while the latter obtains access tokens.
Defending against these attacks is the same as against any other phishing email – by using common sense, skepticism and a touch of paranoia when reading emails.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
