Venom PhaaS SharePoint QR-code campaign targeting C-suite executives
Campaign
Summary
Hide ▲
Show ▼
The Venom PhaaS operation ran a credential theft campaign against C-suite executives and senior personnel at major global organizations, creating a broad risk of account takeover and persistent access. It used SharePoint document-sharing notifications and QR code lures to drive victims into a fake verification flow before credential capture. The attack chain supported AiTM and device code abuse, allowing attackers to relay MFA codes and preserve access even after password resets.
Related Happenings
Healthcare phishing defense guidance for VPN MFA and continuous training
Defensive Guidance
First: 22.05.2026 16:17
Last: 22.05.2026 16:17
Sources 1
About this happening:
Healthcare defenders were urged to treat **phishing** as a top priority, which matters because social engineering is a direct path to **credential abuse** in clinical environments...
Healthcare phishing defense guidance for VPN MFA and continuous training
Defensive GuidanceAbout this happening: Healthcare defenders were urged to treat **phishing** as a top priority, which matters because social engineering is a direct path to **credential abuse** in clinical environments...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
QR code phishing surged across email threats in Q1 2026
Target Trend
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
**Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
QR code phishing surged across email threats in Q1 2026
Target TrendAbout this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
Silent subject/null subject phishing campaign targeting executives and privileged users
Campaign
First: 22.04.2026 16:00
Last: 22.04.2026 16:00
Sources 1
About this happening:
A **widespread silent subject/null subject phishing campaign** is sending subject-less emails to **high-value users**, raising the risk of **credential theft** and follow-on **lat...
Silent subject/null subject phishing campaign targeting executives and privileged users
CampaignAbout this happening: A **widespread silent subject/null subject phishing campaign** is sending subject-less emails to **high-value users**, raising the risk of **credential theft** and follow-on **lat...
Timeline
-
02.04.2026 03:00 2 articles · 1mo ago
Abnormal discloses Venom credential-theft campaign
Campaign Scope UpdateOn April 2, 2026, researchers at Abnormal disclosed a credential theft campaign targeting C-suite executives and senior personnel at major global organizations from November 2025 to March 2026; the operation used SharePoint document-sharing notifications and QR code lures to route victims into a fake verification checkpoint and a Venom PhaaS-backed credential harvester, including AiTM and device code paths that can relay MFA codes and preserve access.
Show sources
- New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs — www.infosecurity-magazine.com — 03.04.2026 11:00
- New VENOM phishing attacks steal senior executives' Microsoft logins — www.bleepingcomputer.com — 10.04.2026 00:37