This devious VENOM phishing campaign targets business executives by name — so watch what you click on
Researchers warn of new VENOM phishing kit
by https://www.techradar.com/uk/author/sead-fadilpai · TechRadarNews By Sead Fadilpašić published 6 April 2026
Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Become a Member in Seconds
Unlock instant access to exclusive member features.
Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors
By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
You are now subscribed
Your newsletter sign-up was successful
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
An account already exists for this email address, please log in. Subscribe to our newsletter
- VENOM phishing kit targets C-Suite executives by name
- Emails mimic SharePoint notifications with Unicode QR codes
- Attackers steal credentials, 2FA codes, and access tokens
If you work as Director or a C-Suite at a major global organization, be on the lookout for a new phishing attack targeting you by name.
Security researchers from Abnormal have warned of a campaign in which the threat actors carefully cherry-pick their targets and then approach them with a highly tailored phishing email, whose goal is to steal login credentials and 2FA codes.
The entire process is built in a previously undocumented phishing kit called VENOM, which has a licensing and activation model, structured token storage, and a full campaign management interface.
Article continues below
Stealing secrets
Abnormal says that it has not yet appeared in any public threat intelligence databases and was not observed being sold on dark-web forums. This means that it is most likely a closed-access platform distributed through vetted channels.
The emails themselves are themed around SharePoint document-sharing notifications. The victims are led to believe they have been given a document, and are invited to scan the provided QR code to access it.
The QR code itself is a work of art, as well. Instead of simply embedding an image (which might get picked up by email security solutions), the threat actors built it entirely from Unicode block characters rendered inside an HTML .
Those that scan the code are first redirected to a fake verification checkpoint, designed to filter out bots, scanners, sandboxes, and security researchers. After passing the checkpoint, the victims are presented with one of two ways of authenticating: either with login credentials and a 2FA code, or through device sign-in using Microsoft’s legitimate device code flow. The former steals passwords and relays 2FA codes, while the latter obtains access tokens.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors