🔑 IAM

VENOM Phishing Kit Targets Senior Microsoft 365 Executives via AiTM Session Interception

A new phishing-as-a-service platform named VENOM is specifically targeting C-suite and senior executive Microsoft 365 accounts using adversary-in-the-middle (AiTM) infrastructure to intercept authenticated sessions. Unlike generic phishing kits, VENOM's targeting logic filters for high-value accounts — CFOs, CEOs, legal counsel, and board-level contacts — and includes executive-tailored lures designed for low suspicion.

3 min read
#phishing#aitm#microsoft-365#executives#session-hijacking#mfa-bypass#phishing-as-a-service

A phishing-as-a-service platform catalogued by researchers as VENOM has emerged targeting senior Microsoft 365 users — specifically executives, board members, and C-suite staff — using adversary-in-the-middle architecture to steal authenticated sessions and bypass multi-factor authentication.

Platform Architecture

VENOM operates as a structured AiTM phishing service with features specifically designed for executive targeting. The platform sits as a reverse proxy between the victim and Microsoft’s real authentication infrastructure — the victim sees a convincing Microsoft 365 login experience (including real MFA prompts), while VENOM transparently captures the authenticated session token, which is then passed to the operator dashboard in real time.

The targeting intelligence layer is what distinguishes VENOM from generic AiTM kits. The platform includes:

  • Target enrichment integration — operators can import corporate email lists and VENOM cross-references LinkedIn and corporate directory data to identify job titles, filtering for C-suite, VP-level, general counsel, CFO, and board member roles before initiating campaigns
  • Executive-specific lure templates — predefined phishing email templates themed around board communications, investor relations notifications, legal hold notices, and M365 administrative alerts — chosen specifically because executives are conditioned to treat these communications as high-priority and process them quickly without extended scrutiny
  • Real-time operator dashboard — captured sessions are delivered to the operator within seconds, with a countdown indicating the remaining validity window for the stolen session token

Why Executive Accounts Are the Target

Compromising a senior executive’s Microsoft 365 account provides capabilities substantially beyond a standard user account breach. An executive M365 account typically grants access to sensitive strategic communications, financial projections, and board-level materials via Exchange; access to the executive’s OneDrive and SharePoint content; and — critically — the social authority to instruct financial and legal teams to take action, providing a pathway to business email compromise fraud.

Executive accounts are also less likely than IT or developer accounts to have strong conditional access policies or privileged identity management controls applied — organisations often exempt executives from friction-inducing security controls as an accommodation, creating a systematic targeting opportunity for platforms like VENOM.

Defensive Measures

Standard TOTP-based MFA does not prevent AiTM attacks — the session token is captured after successful MFA. The only protocol-level defence is FIDO2/passkey authentication, which cryptographically binds the authentication to the legitimate origin domain and cannot be relayed by a proxy.

Specific recommendations:

  1. Enrol all C-suite and board-level accounts in FIDO2 hardware key authentication. Microsoft Entra ID supports FIDO2 as a phishing-resistant authentication method. Prioritise executive accounts even before completing wider rollout.

  2. Apply Conditional Access policies specifically to high-value accounts — require compliant managed devices, apply sign-in frequency controls that limit session token lifetime, and configure Entra ID Protection risk-based sign-in policies to flag anomalous session usage.

  3. Enable Microsoft Defender for Office 365’s Executive Protection feature to add additional scrutiny to emails sent to flagged executive accounts.

  4. Conduct executive-specific security awareness that explicitly explains AiTM phishing — the fact that the login appears completely legitimate and the MFA prompt is real. Executives need to understand that seeing their normal MFA prompt does not guarantee the authentication is legitimate if the initiating email was suspicious.

  5. Review any third-party email security gateway configuration for executive accounts — VENOM targets are typically enriched from corporate directory data exposed through LinkedIn, requiring no inside access. Verify that executive names and titles are not unnecessarily exposed in public-facing directories beyond what is required.

Share this article