Inside VENOM:

The PhaaS Platform Behind Targeted C-Suite Credential Theft

Abnormal AI and Alchemy are hosting invitation-only briefing on VENOM, a previously undocumented phishing-as-a-service platform used by attackers to neutralize MFA and compromise executive accounts. You'll learn how this campaign is designed to evade traditional security tools and what you can do to reduce your risk.

In This Briefing

Understand the full attack lifecycle

See why rules- and signature-based defenses miss it

Explore where attacker tactics are heading next

Get concrete steps to minimize your vulnerability now

* Attendees are also eligible for a custom threat intelligence brief tailored to their industry

Secure Your Invite

Session

Wednesday, May 20

4:00 PM UTC · 60 min

First Name

Last Name

Email Address

Job Title

Company Name

Country

I’d like to receive emails about Abnormal’s in-person and virtual events. By submitting this form, I consent to Abnormal AI and its event sponsors processing my contact information, including contacting me and sharing my details with sponsors. I acknowledge that Abnormal AI will store and use my information in accordance with its privacy policy.

Submitting this form signals your interest in attending. A member of our team will review your request and follow up to confirm your eligibility.

Why This Matters

Modern email attacks target the people and processes that run the business.

This session walks through a five-month active campaign targeting named C-suite leaders, showing how attackers hijack Microsoft 365 authentication flows to gain persistent access that survives password resets.

Executives targeted by name

These are not mass campaigns. The operators research individual targets, with lures that reference names and company context, dynamically generated from the target’s email address, before any payload is delivered.

Why this is different

Precision at this level signals purpose-built infrastructure for high-value targets. This is not opportunistic spray-and-pray.

Persistence that survives remediation

Once a target completes the campaign’s authentication flow, access persists through attacker-enrolled MFA devices or captured OAuth refresh tokens, depending on the mode—even after standard remediation steps are taken.

Why this is different

Standard IR assumes credential resets contain the breach. This campaign is designed to operate below that layer.

Legitimate Microsoft infrastructure as the weapon

In AiTM mode, targets act with a real, real-time proxied Microsoft sign-in. In Device Code mode, they authenticate directly at Microsoft’s own login page.

Why this is different

Blocking phishing URLs doesn’t help when the authentication page is real. This campaign weaponizes Microsoft’s own infrastructure.

Designed to evade your current stack

SEGs, MFA enforcement, and conditional access policies have limited visibility into the authentication and token layer this campaign exploits. Unicode-rendered QR codes leave no image artifact for scanners to process.

Why this is different

Detection requires behavioral analysis of authentication activity and token usage—not signature-based controls alone.

What You'll Learn

The anatomy of this campaign and how to protect your organization.

The Attack Chain

Walk through the full lifecycle of an attack—from initial phishing email to persistent account access—and understand each stage where defenses can intervene.

Why Existing Controls Fail

Learn why MFA, conditional access, and legacy email gateways are insufficient against the campaign’s authentication exploitation techniques.

How Tradecraft Is Evolving

Understand how phishing-as-a-service platforms like VENOM are professionalizing attacks and what this means for the threat landscape in 2026 and beyond.

Actions to Reduce Exposure

Get a concrete set of steps your security team can take this week to reduce exposure to this type of campaign and similar account takeover threats.

Who Should Attend

Your executives are the target. Make sure the right people are briefed.

Why attend as a

CISO

Understand how executive-targeted attacks bypass controls you’ve already invested in — and what gaps require an architectural response.

Your Hosts

Meet the team that discovered VENOM.

Hosted by Abnormal AI's Threat Intelligence team and Alchemy Tech Group, this closed-door session provides a first look at the campaign and concrete steps to protect your organization.

Ryan Devendorf

Threat Intelligence Researcher

Ryan is a principal researcher on the team that mapped VENOM's full attack chain and identified its persistence mechanisms.

Mark Grassmann

Practice Director, Cybersecurity, Alchemy Tech Group

Mark Grassmann is a cybersecurity thought leader and industry expert known for turning complex security challenges into clear, actionable strategies. He partners with organizations across the country to design and execute modern cybersecurity programs.

Read the Complete VENOM Threat Report

The full technical report covers VENOM's attack chain, infrastructure signatures, behavioral indicators, and detection guidance — written by the researchers who discovered and tracked the platform.

Get the Report →

Limited Availability

Request Your Invitation

This invitation-only session is limited to qualified security leaders. Reserve your spot and a member of our team will confirm your eligibility.