CEOs, CFOs, and senior officers across 20+ industries are being targeted by name in a credential theft campaign engineered for persistent access that can survive standard remediation.

Attackers impersonate SharePoint notifications to initiate the attack, using QR codes and layered filtering to evade scanners and security tools before reaching the target. From there, the campaign operates within legitimate Microsoft authentication flows, relaying credentials or capturing OAuth tokens to convert a single sign-in into persistent access.

This is not a single tactic, but a coordinated attack chain where each stage is designed to protect the next. In investigating the campaign, Abnormal Threat Intelligence also identified VENOM, a previously undocumented phishing-as-a-service platform supporting the operation and enabling these techniques to scale.

Exposing VENOM outlines how the attack works and the actions security leaders can take to defend against it.

Download the Threat Intelligence Report to:

• Understand how attackers turn live Microsoft sign-ins into persistent access

• See the evasion techniques that defeat scanners, URL tools, and logs

• Discover VENOM, the undocumented PhaaS platform found during investigation

• Learn the strategic defenses CISOs should implement immediately

Fill out the form to get your copy today.