Highly Evasive Spear-Phishing Campaign Targets Senior Executives, Bypassing Multi-Factor Authentication

Vaibhav April 3, 2026
Highly-Evasive-Spear-Phishing-Campaign-Targets-Senior-Executives-Bypassing-Multi-Factor-Authentication
Post Views: 108

Sophisticated Spear-Phishing Campaign Neutralizes Multi-Factor Authentication

A highly evasive spear-phishing campaign, revealed in a recent report, has been targeting senior executives across various industries by leveraging a newly discovered phishing kit called VENOM.

Targeting Senior Executives

The campaign, observed between November 2025 and March 2026, aimed to “neutralize” multi-factor authentication (MFA) by employing adversary-in-the-middle (AiTM) and device code abuse techniques.

According to the report, the attackers focused on corporate Microsoft 365 logins, targeting individuals with C-level, president, or chairman titles, with over 60% of victims holding such positions.

Campaign Mechanics

  • The campaign began with a lure, usually presented as a SharePoint document-sharing notification, which spoofed the sender’s email address to appear internal, using the format sharepointadmin@[target’s domain].
  • The phishing emails included a QR code constructed in HTML using Unicode characters instead of an image file, allowing the attackers to evade defenses scanning for malicious QR code images.
  • Additional evasion techniques employed included injecting invisible, randomized “junk HTML” to defeat signature-based detection and including a fake thread, automatically populated with the target’s name and address, to make the message appear more legitimate.

MFA Bypass Techniques

  • One involved an AiTM technique to intercept and relay credentials and MFA approvals, while the other exploited Microsoft’s device code authentication flow.
  • The AiTM attack created a realistic Microsoft login interface, including the target’s organization logo and pre-filled address, and used the Microsoft identity API to grant the attacker access to the victim’s account.
  • The fake login page’s URL included a “#SandBox” fragment, which allowed the login form to display but would not appear in logs.

Defending Against Similar Attacks

Organizations should restrict device code authentication flows when not required, audit and monitor MFA device registrations, and utilize behavior-based and account defenses that employ AI to recognize phishing and compromised account activity.

Incident response to MFA-neutralizing attacks requires full revocation of active sessions, tokens, and enrolled devices to prevent unauthorized access from persisting after password resets.




About Author

Vaibhav

See author's posts

More Stories

FortiSandbox-Security-Patch-Released-by-Fortinet-Fixes-Critical-Vulnerability

FortiSandbox Security Patch Released by Fortinet, Fixes Critical Vulnerability

Vaibhav April 15, 2026
EU-Mandates-Coordinated-Vulnerability-Disclosure-A-Cultural-Shift-Ahead

EU Mandates Coordinated Vulnerability Disclosure: A Cultural Shift Ahead

Vaibhav April 15, 2026
Global-Vulnerability-Alert-Sophisticated-Adobe-Reader-Exploit-Identified

Global Vulnerability Alert: Sophisticated Adobe Reader Exploit Identified

Vaibhav April 11, 2026

Latest Cyber Security News

Not-All-CISO-Roles-Are-Equally-Demanding-and-Challenging-Insights-from-ESET-Mimecast-at-RSAC

Not All CISO Roles Are Equally Demanding and Challenging: Insights from ESET, Mimecast at RSAC

Vaibhav April 15, 2026
Sitehops-SAFEcore-Edge-Offers-Ultra-Low-Latency-Post-Quantum-Encryption-Solutions

Sitehops SAFEcore Edge Offers Ultra-Low Latency Post Quantum Encryption Solutions

Vaibhav April 15, 2026
IPL-Ticket-Scam-Woman-Loses-52-500-Using-Fake-QR-Codes-in-Bengaluru

IPL Ticket Scam: Woman Loses ₹52,500 Using Fake QR Codes in Bengaluru

Vaibhav April 15, 2026
India-s-Largest-Cryptocurrency-Scandal-Worth-17-000-Crore

India’s Largest Cryptocurrency Scandal Worth ₹17,000 Crore

Vaibhav April 15, 2026
Microsoft-Resolves-Critical-Bug-Affecting-Automatic-Windows-Server-2025-Updates

Microsoft Resolves Critical Bug Affecting Automatic Windows Server 2025 Updates

Vaibhav April 15, 2026
en_USEnglish
en_USEnglish