Threat actors using a previously undocumented phishing-as-a-service (PhaaS) platform called “VENOM” are targeting credentials of C-suite executives across multiple industries. The operation has been active since at least last November and appears to target specific individuals who serve as CEOs, CFOs, or VPs at their companies. VENOM also seems to be closed access, as it has not been promoted on public channels and underground forums, thus reducing its exposure to researchers. The phishing emails, observed by researchers at cybersecurity company Abnormal, impersonated Microsoft SharePoint document-sharing notifications as part of internal communication. The messages are highly personalized and include random HTML noise such as fake CSS classes and comments. The attacker also injects fake email threads tailored to the target, increasing credibility. A QR code rendered in Unicode is provided for the victim to scan for access. The trick is designed to bypass scanning tools and shift the attack to mobile devices. “The target's email address is double Base64-encoded in the URL fragment—the portion after the # character,” Abnormal researchers explain. “Fragments are never transmitted in HTTP requests, making the target's email invisible to server-side logs and URL reputation feeds.”