- VENOM Phishing Kit Targets C-Suite Executives by Name
- Emails mimic SharePoint notifications with Unicode QR codes
- Attackers steal credentials, 2FA codes and access tokens
If you work as a director or C-Suite at a major global organization, be on the lookout for a new phishing attack targeting you by name.
Security researchers at Abnormal have warned of a campaign where threat actors carefully select their targets and then approach them with a highly personalized phishing email, which aims to steal login credentials and 2FA codes.
The entire process is based on a previously undocumented phishing kit called VENOM, which has an activation and licensing model, structured token storage, and a complete campaign management interface.
Article continues below.
Steal secrets
Abnormal says it has not yet appeared in any public threat intelligence databases and has not been observed to be sold on dark web forums. This means that it is most likely a closed access platform distributed through vetted channels.
The emails themselves are themed around SharePoint document sharing notifications. Victims are led to believe that they have been given a document and are invited to scan the QR code provided to access it.
The QR code itself is also a work of art. Instead of simply embedding an image (which could be detected by email security solutions), the threat actors created it entirely from Unicode block characters represented within an HTML.
Those who scan the code first are redirected to a fake verification checkpoint, designed to filter out bots, scanners, sandboxes, and security researchers. After passing the checkpoint, victims are presented with one of two ways to authenticate: either with login credentials and a 2FA code, or by logging into the device using Microsoft’s legitimate device code flow. The former steals passwords and transmits 2FA codes, while the latter obtains access tokens.
Defending yourself against these attacks is the same as any other phishing email: using common sense, skepticism, and a touch of paranoia when reading the emails.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
