Notifications
Clear all
Topic starter
27/06/2026 1:24 pm
TL;DR: A five-month campaign targeted C-suite executives by name, used a previously undocumented phishing-as-a-service platform called VENOM, and combined evasion tactics with real-time authentication interception to turn a single login into persistent account access, according to Abnormal AI. MFA alone is not a sufficient control when the attacker can capture and reuse the session as it is created.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams protect executive accounts from real-time MFA interception?
A: Use phishing-resistant authentication, enforce device and session assurance, and treat executive logins as higher-risk events than standard workforce access.
Q: Why do compromised executive accounts create such high downstream risk?
A: Executive accounts are trusted by finance, operations, and internal recipients, so a single compromise can unlock business email compromise, fraudulent approvals, and lateral phishing.
Practitioner guidance
- Separate executive identities from ordinary user policy paths Apply stricter authentication, device assurance, and approval workflows to C-suite accounts so they do not inherit the same risk tolerance as general workforce identities.
- Prioritise phishing-resistant authentication for high-value users Move executive accounts to phishing-resistant methods and verify that session issuance cannot be replayed or silently transferred after the login event.
- Correlate email, auth, and finance telemetry Tie suspicious mail delivery, unusual authentication behaviour, and payment or approval anomalies into one response path so BEC indicators are visible before funds move.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- Two distinct real-time methods attackers used to neutralize MFA during live login flows
- The full chain from executive targeting to persistent access and business email compromise
- Examples of layered evasion, including Unicode QR codes and URL fragments invisible to server logs
- The discussion of VENOM as a phishing-as-a-service platform and what that means for campaign scale
👉 Read Abnormal AI's webinar on executive phishing, MFA interception, and VENOM →
Executive phishing and MFA interception: what IAM teams need to know?
Explore further
27/06/2026 2:45 pm
Executive identity has become a high-leverage attack surface, not just a high-value target. This campaign shows that adversaries do not need broad access when they can win one trusted login and reuse the resulting authority across finance, email, and internal trust paths. The field should stop treating executive phishing as a narrow awareness problem and recognise it as a human identity governance failure with downstream privileged access consequences. Practitioners should manage executive accounts as a distinct risk class.
A few things that frame the scale:
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which shows how identity risk often begins with weak handling rather than exotic exploitation.
A question worth separating out:
Q: Who is accountable when an executive account is used for fraud after MFA success?
A: Accountability sits with the identity, email, and fraud controls together, because MFA success alone does not prove the session was safe. Organisations need clear ownership for executive access policy, phishing-resistant authentication, and post-login monitoring so one control failure does not become a finance incident.
👉 Read our full editorial: Phishing-as-a-service and real-time MFA theft target executives
