Watch out for spear-phishing targeting your MFA!

SCWorld.com reported that “A sophisticated spear-phishing campaign targeting senior executives at companies across dozens of industries leverages several evasion mechanisms and a newly discovered phishing kit called VENOM,…”  The April 3, 2026 article entitled " Highly evasive spear-phishing campaign targeting senior execs ‘neutralizes’ MFA” (https://tinyurl.com/yn5x4jhm) included these comments from Abnormal AI:

The campaign, observed by Abnormal from November 2025 through March 2026, targets corporate Microsoft 365 logins and “neutralizes” multi-factor authentication (MFA) by using adversary-in-the-middle (AiTM) and device code abuse techniques.

The attackers aim for maximum impact by targeting company leadership, with 60% of targets having C-level, president or chairman titles, Abnormal noted. No particular industry is targeted, with attacks observed across more than 20 verticals.

The attacks begin with an email lure, most commonly imitating a SharePoint document-sharing notification. The attacker spoofs the sender address to appear like an internal email, using the format sharepointadmin@[target’s domain].

The email contains a QR code constructed in HTML using Unicode characters rather than an image file, evading email defenses that scan for malicious QR code images. The emails also leverage several other evasion techniques, including the injection of invisible, randomized “junk HTML” to defeat signature-based detection and the inclusion of a fake email thread, automatically populated with the target’s name and email address, to make the email appear more like legitimate correspondence.

Very bad news!