VENOM shows how MFA bypass now survives the login boundary

At a glance

What this is: This is an analysis of the VENOM phishing campaign and its MFA-bypass methods, showing how attackers use session relay, Device Code flow abuse, and token persistence to keep access.

Why it matters: It matters because IAM and security teams cannot treat MFA as a final control if refresh tokens, device enrollment, and session revocation are not governed as part of the same access lifecycle.

By the numbers:

• 60% of targeted recipients hold C-level, President, or Chairman titles across 20+ verticals, selected by name over a 5-month period.

👉 Read Abnormal AI's analysis of the VENOM phishing campaign and MFA bypass

Context

VENOM is a private phishing-as-a-service platform built to steal access through the identity layer rather than by breaking infrastructure. The article's primary point is that MFA can be bypassed when attackers relay live sessions or hijack Microsoft's Device Code flow, then preserve access through token or device persistence.

For IAM teams, the relevant problem is not only credential theft but lifecycle failure after authentication succeeds. If sessions, refresh tokens, and device registrations are not revoked together, password resets can close the symptom while leaving the attacker inside the account.

The campaign also shows how targeted phishing has become operationalised. The article describes named targeting of executives across more than 20 verticals, which makes access governance and executive protection part of the same control plane as identity security.

Key questions

Q: How should security teams reduce the risk of MFA bypass through AiTM phishing?

A: Treat MFA as one control in a broader session-security chain. Add phishing-resistant authenticators where possible, monitor for impossible or unusual session transitions, and require explicit revocation of active sessions after suspected compromise. The key is to inspect what happens after authentication succeeds, not only whether login was challenged.

Q: Why do password resets fail to end some phishing attacks?

A: Password resets only change the credential, not necessarily the session or token state. If refresh tokens, active sessions, or recently enrolled MFA devices remain valid, an attacker can keep access after the user believes the account is fixed. That is why revocation and token cleanup must be part of the response.

Q: What should organisations do about Device Code flow in Microsoft environments?

A: Allow it only where there is a clear operational need, and monitor it as a high-risk authentication path. For privileged users, unmanaged devices, and executive accounts, it should usually be restricted or closely watched because the attack occurs through a legitimate provider endpoint rather than a fake login page.

Q: Who is accountable when a compromised session persists after remediation?

A: Accountability sits with the identity and incident-response owners who define what remediation means. If the response ends at password reset, the programme has not closed the access state. Governance must require proof that sessions, tokens, and device registrations were revoked before the account is declared safe.

Technical breakdown

Real-time session relay defeats MFA without breaking the protocol

In adversary-in-the-middle mode, the attacker does not need to defeat MFA mathematically or exploit a protocol flaw. Instead, the phishing flow proxies the victim's sign-in in real time, relaying credentials and MFA assertions to the identity provider as they happen. Because the login looks legitimate at every visible step, the user completes authentication against the real service while the attacker captures the resulting authenticated session. This is an identity-layer abuse of trust, not a break in cryptography. The security failure is that MFA success is treated as equivalent to safe session ownership when the session itself has already been transferred.

Practical implication: review whether your controls validate session ownership after MFA, not just at the point of authentication.

Device Code flow turns the identity provider into the access broker

Device Code flow is designed for limited-input devices, but attackers exploit it by convincing the victim to enter a code into the provider's own login endpoint. The provider then issues tokens to the attacker-controlled backend because the victim has authenticated the request. That means the phishing page never needs to collect a password or OTP directly, and conventional proxy detection is less useful because the interaction occurs through the identity provider's legitimate flow. The real control problem is that token issuance can be decoupled from user intent, especially when users are prompted to approve actions outside their expected context.

Practical implication: restrict or heavily monitor Device Code use and treat unexpected device sign-ins as a privileged identity event.

Token persistence survives password reset when session revocation is incomplete

The article highlights a common lifecycle gap: revoking a password does not automatically invalidate all live sessions, refresh tokens, or newly enrolled MFA devices. In Entra ID, the attacker can retain access unless administrators explicitly revoke sessions and token grants. That matters because modern identity attacks often move from initial access to durable access in minutes, while remediation workflows are still built around password change as the main reset action. The control issue is not authentication strength alone, but whether the environment can fully unwind the artefacts created after authentication succeeds.

Practical implication: make session and token revocation part of incident response, not an optional cleanup step.

Threat narrative

Attacker objective: The attacker aims to secure durable Microsoft 365 access to executive accounts while preserving a believable sign-in history and minimizing user suspicion.

1. Entry begins with a SharePoint-themed email that uses a QR code lure and compromised sender infrastructure to move the victim into an attacker-controlled workflow.
2. Credential access occurs through either real-time AiTM session relay or Microsoft Device Code flow abuse, allowing the attacker to obtain authenticated access without a visible password prompt.
3. Persistence follows when the platform registers a new MFA device or captures refresh tokens that survive ordinary password resets.
4. Impact is continued mailbox and Microsoft 365 access that remains available after the victim believes the account has been remediated.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Internet Archive breach — unsecured GitLab authentication tokens exposed 31M Internet Archive accounts.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

MFA is not a containment boundary when session ownership can be transferred mid-flow. This campaign works because authentication success is being mistaken for session safety. Real-time relay preserves the user-facing login while moving the active session to the attacker, which means MFA no longer functions as a decisive stopping point. The implication is that identity programmes must stop treating authentication completion as proof of control.

Device Code abuse exposes a trust assumption built for constrained devices, not for adversarial phishing. The flow assumes the code enters the provider's legitimate endpoint in a benign user context. VENOM shows that this assumption collapses when the user is socially engineered into authorising attacker-owned polling infrastructure. Practitioners should recognise this as an identity transaction problem, not a simple awareness failure.

Session revocation is the control gap that turns a successful phish into durable compromise. The campaign demonstrates that password resets alone do not unwind the attacker's access state. Refresh tokens and new device registrations can remain valid unless administrators explicitly revoke them, which makes post-authentication cleanup part of access control, not just incident response.

Executive-targeted phishing should be treated as identity privilege hunting, not ordinary spam. The targeting pattern matters because senior accounts often hold the broadest delegated access and the least scrutiny around new sign-in artefacts. That creates a higher-value identity blast radius when MFA bypass succeeds. The practical conclusion is that executive identity governance deserves separate monitoring thresholds.

Persistent access artefacts create trust debt that standard sign-in controls do not clear. Once a new device, refresh token, or live session exists, the account carries hidden obligations that most review cycles never see. This is the same lifecycle weakness that makes NHI and human identity controls fail when revocation is partial. Practitioners need to think in terms of access artefact expiry, not only credential expiry.

From our research:

• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
• From our research: 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to The State of Secrets Sprawl 2026.
• See also Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the lifecycle controls that close the revocation gap after compromise.

What this signals

Trust debt is now the more useful lens than password strength. When attackers can preserve access through tokens, sessions, and device enrollment, the programme's real weakness is not the login challenge but the failure to unwind identity artefacts after compromise. Teams should expect more attacks that succeed inside the identity provider rather than around it.

As OWASP Non-Human Identity Top 10 continues to frame secret sprawl and overprivilege as governance problems, this campaign shows the same logic now applies to human executive accounts that carry machine-like persistence. The boundary between human IAM and machine identity is narrowing at the point where tokens outlive credentials.

Persistent access artefacts will become a standard review item for identity teams that previously focused only on password hygiene. If your response model cannot prove that sessions, refresh tokens, and device registrations are gone, then your control model is still leaving an attacker-owned identity behind.

For practitioners

• Audit for Device Code exposure paths Identify where Device Code flow is enabled, who can use it, and whether high-risk users or unmanaged devices can trigger it. Block or tightly scope the flow for privileged populations and watch for sign-ins that originate from unexpected device contexts.
• Require full session and token revocation in response playbooks Treat password reset as incomplete until active sessions, refresh tokens, and newly added MFA devices are revoked in Entra ID. Validate that incident handlers know the exact administrative steps needed to remove the attacker's persistence artefacts.
• Monitor for anomalous MFA device enrollment events Alert on new authenticator registrations, especially when logs show software-token activity or unusual device naming such as NO_DEVICE. Correlate enrollment with recent phishing indicators and executive account activity.
• Harden executive accounts as a separate identity tier Apply stricter sign-in risk rules, narrower recovery paths, and stronger review of delegated access for C-suite and senior officer accounts. Their compromise creates disproportionate blast radius, so monitoring should be more aggressive than for standard user populations.

Key takeaways

• VENOM shows that MFA can be bypassed without breaking the protocol when attackers relay live sessions or abuse Device Code flow.
• The campaign's real control weakness is persistence, because password resets do not necessarily remove refresh tokens, sessions, or enrolled devices.
• Identity teams need revocation-led incident response, especially for executive accounts whose compromise creates outsized blast radius.

Key terms

• AiTM phishing: Adversary-in-the-middle phishing proxies a victim's authentication in real time so the attacker receives the resulting session or token. The user believes they are signing in normally, but the attacker is relaying the exchange and can retain access after login completes.
• Device Code flow: Device Code flow is an authentication method intended for devices with limited input, where a user enters a short code into the identity provider to approve access. Attackers abuse it by tricking users into approving attacker-controlled polling requests, which then receive valid tokens from the provider.
• Session revocation: Session revocation is the process of invalidating active logins, refresh tokens, and related access artefacts after a compromise. It matters because changing a password alone may not disconnect an attacker who already holds a valid session or newly enrolled authentication method.
• Access artefact: An access artefact is any identity object that preserves or extends access after initial authentication, such as a token, active session, device enrollment, or delegated grant. For security teams, these artefacts must be governed as carefully as passwords because they can outlive the original credential.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Abnormal AI: VENOM phishing-as-a-service, MFA bypass, and token persistence. Read the original.