Highly evasive spear-phishing campaign targeting senior execs ‘neutralizes’ MFA

A sophisticated spear-phishing campaign targeting senior executives at companies across dozens of industries leverages several evasion mechanisms and a newly discovered phishing kit called VENOM, Abnormal AI revealed in a report Thursday.

The campaign, observed by Abnormal from November 2025 through March 2026, targets corporate Microsoft 365 logins and “neutralizes” multi-factor authentication (MFA) by using adversary-in-the-middle (AiTM) and device code abuse techniques.

The attackers aim for maximum impact by targeting company leadership, with 60% of targets having C-level, president or chairman titles, Abnormal noted. No particular industry is targeted, with attacks observed across more than 20 verticals.

The attacks begin with an email lure, most commonly imitating a SharePoint document-sharing notification. The attacker spoofs the sender address to appear like an internal email, using the format sharepointadmin@[target’s domain].

The email contains a QR code constructed in HTML using Unicode characters rather than an image file, evading email defenses that scan for malicious QR code images. The emails also leverage several other evasion techniques, including the injection of invisible, randomized “junk HTML” to defeat signature-based detection and the inclusion of a fake email thread, automatically populated with the target’s name and email address, to make the email appear more like legitimate correspondence.

Related reading:

When the victim scans the QR code, likely moving the attack from a managed device to a personal mobile device, they are met with a page that performs several checks to ensure they are the intended target and not a security scanner.  To the target, the page displays a typical Cloudflare or Microsoft anti-bot check.

In the background, a user-agent screening is performed to detect headless browsers, automation frameworks and other signs of security tools, which includes the use of a 385-entry blocklist.  Next, an IP reputation check is performed that includes a check against about 65 specific IPs and 38 cloud and security-related keywords, followed by a human-interaction gate that includes three honeypot elements – hidden elements likely to be interacted with by automated tools but not human users.

The last check is a proof-of-work challenge, after which verified targets are sent to a fake login or document access page. Users that fail any of the checks are directed to a benign domain such as Google or Amazon.

Two methods use to sidestep MFA protection

Abnormal identified two different types of phishing pages used in the campaign: one that leverages an AiTM technique to intercept and relay credentials and MFA approvals, and one that exploits Microsoft’s device code authentication flow.

The AiTM attack uses a realistic Microsoft login interface that includes the logo of the target’s organization and prefills their email address. For federated accounts, the login page for the target’s specific identity provider is shown. The targets credentials and MFA response are related in real time via the Microsoft identity API, granting the attacker access to the victim’s account. The attacker then registers a new MFA device on the victim’s account for persistent access.

Evasion techniques continue to be used at this stage, with an additional anti-bot mechanism analyzing the user’s behavior as they enter their credentials. The researchers note that the fake login page’s URL includes a “#SandBox” fragment, which is required for login form to display but will not appear in logs, as URL fragments aren’t sent in HTTP request. If one were to visit the phishing URL without the #SandBox fragment, a benign AI-generated business website would be displayed.

The device code version of the phishing attack presents the target with a verification prompt to access a Docusign document. This page abuses the device code authentication flow, normally used to authenticate internet of things (IoT) devices such as gaming systems and smart TVs, by displaying the code to the victim and instructing them to submit it to view the document.

The victim is directed to a legitimate Microsoft page where they submit the code and log in, unknowingly giving the attacker’s device access to their account. The attacker can maintain persistent access, even after a password reset, unless an administrator revokes all active sessions within Entra ID, Abnormal said.

Abnormal tied these attacks to a phishing-as-a-service (PhaaS) platform called VENOM, which has not previously been documented in public threat intelligence databases, nor advertised on known cybercrime marketplaces. VENOM is believed to be distributed through a closed-access or invitation-based system, giving it a low profile, the researchers said.

The VENOM platform panel gives licensed users the ability to manage their phishing and credential harvesting campaigns, test and keep track of their live session tokens, and preserve raw OAuth server responses, potentially enabling the re-derivation of expired tokens.

Abnormal recommends that organizations defend against similar attacks by restricting device code authentication flows when not required, auditing and monitoring MFA device registrations and using behavior-based email and account defenses that use AI to recognize phishing and compromised account activity. The researchers noted that MFA devices registered through this campaign will appear in Entra ID logs as “SoftwareTokenActivated” events with the display name “NO_DEVICE.”

The researchers also said that incident response to MFA neutralizing attacks requires full revocation of active sessions, tokens and enrolled devices, to ensure that unauthorized access cannot persist after password resets.