Notifications
Clear all
Topic starter
27/06/2026 1:46 pm
TL;DR: VENOM is a closed phishing-as-a-service platform that combines SharePoint-themed lures, real-time session relay, Device Code abuse, and post-auth persistence to bypass MFA and retain access after password resets, according to Abnormal AI. The campaign shows that authentication controls can fail at the protocol boundary when session and token lifecycle governance is weak.
NHIMG editorial — based on content published by Abnormal AI: VENOM phishing-as-a-service, MFA bypass, and token persistence
By the numbers:
- 60% of targeted recipients hold C-level, President, or Chairman titles across 20+ verticals, selected by name over a 5-month period.
Questions worth separating out
Q: How should security teams reduce the risk of MFA bypass through AiTM phishing?
A: Treat MFA as one control in a broader session-security chain.
Q: Why do password resets fail to end some phishing attacks?
A: Password resets only change the credential, not necessarily the session or token state.
Q: What should organisations do about Device Code flow in Microsoft environments?
A: Allow it only where there is a clear operational need, and monitor it as a high-risk authentication path.
Practitioner guidance
- Audit for Device Code exposure paths Identify where Device Code flow is enabled, who can use it, and whether high-risk users or unmanaged devices can trigger it.
- Require full session and token revocation in response playbooks Treat password reset as incomplete until active sessions, refresh tokens, and newly added MFA devices are revoked in Entra ID.
- Monitor for anomalous MFA device enrollment events Alert on new authenticator registrations, especially when logs show software-token activity or unusual device naming such as NO_DEVICE.
What's in the full article
Abnormal AI's full research covers the operational detail this post intentionally leaves for the source:
- Step-by-step AiTM relay mechanics and the token capture sequence used by the campaign.
- The VENOM admin panel's campaign management features and structured token storage model.
- Complete victimology and indicator data for tracing the campaign across executive targets.
- Defensive actions and investigation detail that support incident response and hunting work.
👉 Read Abnormal AI's analysis of the VENOM phishing campaign and MFA bypass →
VENOM phishing tactics: what IAM teams need to rethink now?
Explore further
27/06/2026 3:13 pm
MFA is not a containment boundary when session ownership can be transferred mid-flow. This campaign works because authentication success is being mistaken for session safety. Real-time relay preserves the user-facing login while moving the active session to the attacker, which means MFA no longer functions as a decisive stopping point. The implication is that identity programmes must stop treating authentication completion as proof of control.
A few things that frame the scale:
- 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to The State of Secrets Sprawl 2026.
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to The State of Secrets Sprawl 2026.
A question worth separating out:
Q: Who is accountable when a compromised session persists after remediation?
A: Accountability sits with the identity and incident-response owners who define what remediation means. If the response ends at password reset, the programme has not closed the access state. Governance must require proof that sessions, tokens, and device registrations were revoked before the account is declared safe.
👉 Read our full editorial: VENOM shows how MFA bypass now survives the login boundary
