VENOM Phishing Campaign Is Targeting Your Executives — What Small Businesses Need to Know

A sophisticated phishing campaign called VENOM is actively targeting senior executives at small and mid-sized businesses. Unlike the spray-and-pray phishing emails that end up in your spam folder, VENOM is a targeted operation — carefully constructed messages impersonating trusted contacts, routed through legitimate infrastructure, and designed specifically to bypass the security controls most small businesses rely on.

If you have employees in leadership roles — owners, CFOs, operations managers, or anyone with financial authority — this threat is directly relevant to your business right now.

What VENOM Is and How It Works

VENOM is a credential-harvesting and session-hijacking campaign first identified by threat researchers in early April 2026. It targets senior executives specifically because they have the access and authority to initiate wire transfers, approve vendor changes, and access sensitive financial systems.

The attack chain works in three stages:

Stage 1: Impersonation and delivery. The target receives an email appearing to come from a trusted source — typically legal counsel, an auditor, a board member, or a known business partner. The message is contextually plausible: a document to review, a contract to sign, a compliance deadline to acknowledge. The email passes standard spam filters because it’s sent from real (compromised or newly registered) infrastructure with legitimate DKIM/SPF signatures.

Stage 2: Adversary-in-the-middle capture. The link in the email leads to a convincing login page — often a pixel-perfect replica of Microsoft 365 or Google Workspace. When the executive enters their credentials, those credentials are relayed to the real login service in real time. The attacker captures both the password and the authenticated session token. This is what makes VENOM dangerous: it steals the session token that proves you’ve already passed MFA. Standard multi-factor authentication does not stop this attack.

Stage 3: Account takeover and pivot. With a valid session token, the attacker operates inside the executive’s account without triggering re-authentication alerts. From there, they can read emails to understand ongoing business relationships and transactions, send emails impersonating the executive, redirect vendor payment details, initiate wire transfer requests to the finance team, and exfiltrate sensitive documents.

The full compromise — from first email to active account access — can happen in under 10 minutes.

Why Small Businesses Are Specifically at Risk

Enterprise companies have dedicated security teams running email analysis platforms that detect adversary-in-the-middle (AiTM) phishing attempts in real time. They run conditional access policies that flag logins from unusual locations even with valid tokens. They have incident response playbooks in place before an attack happens.

Small businesses typically have none of this. Most rely on Microsoft 365’s built-in protection or a basic email security filter — tools that were not designed to detect AiTM attacks. The result is that small businesses are easier targets than large enterprises while still having access to meaningful financial assets and sensitive data that make the attack worthwhile.

Campaigns like VENOM follow the economics: sophisticated techniques applied to easier targets.

business email compromise protection for small business

What This Campaign Specifically Does After Access

Based on available threat intelligence, VENOM-attributed accounts have been used for three primary post-compromise activities:

Wire fraud. The attacker monitors the executive’s email for active vendor relationships and pending invoices. At the right moment, they send a spoofed message to the finance team updating bank account details for an upcoming payment. Finance employees, seeing the message come from a known executive’s legitimate account, comply.

Credential chain expansion. With access to an executive’s inbox, attackers reset passwords for connected services — cloud storage, HR systems, payroll platforms, banking portals — expanding their foothold beyond the initial email account.

Lateral phishing. The compromised executive account sends targeted phishing emails to employees, clients, and vendors. Because those messages come from a real account with a real email history, they achieve far higher click rates than cold phishing attempts.

How to Protect Your Executives Right Now

The defenses that matter against AiTM phishing attacks are specific. General security hygiene helps, but these are the controls that directly address how VENOM operates:

1. Upgrade to phishing-resistant MFA. SMS codes, authenticator app TOTP codes, and push notifications are all vulnerable to AiTM attacks because the attacker can relay them in real time. The only MFA types that block this technique are FIDO2 hardware security keys (YubiKey, Google Titan) and passkeys stored on a device’s secure enclave. If your executives are using any other MFA type, they’re still potentially vulnerable to this campaign.

2. Enable Conditional Access policies. Microsoft 365 and Google Workspace both support conditional access rules that flag or block sessions coming from unusual locations, new devices, or impossible travel scenarios (logging in from Chicago and London within an hour). These policies catch session token theft even when the token itself is valid.

3. Deploy email security with AiTM detection. Standard email filters check sender reputation and link destinations. AiTM-aware platforms analyze login behavior after the click — detecting when a login session was proxied rather than direct. This is a feature to specifically ask about when evaluating email security solutions.

4. Verify unusual requests through a second channel. This is a process change, not a technology change: any request involving a wire transfer, change of banking details, or credentials reset should be confirmed by phone to a known number — not by reply email. Train your finance team specifically on this.

5. Review executive email forwarding rules. AiTM attackers routinely set up forwarding rules immediately after gaining access, sending copies of all incoming email to an external address. Check your executives’ email accounts now for unexpected forwarding rules or delegated access permissions.

multi-factor authentication for small business

What to Do If You Think an Executive Account Was Compromised

Speed matters. If you suspect an executive account has been accessed by an unauthorized party:

Revoke all active sessions immediately — in Microsoft 365 this is done through the admin portal under the user’s account settings. This invalidates stolen session tokens.

Reset the password from a clean device, then enroll a new phishing-resistant MFA credential.

Audit the last 30 days of email rules, forwarding configuration, and delegated access on the account.

Review the last 72 hours of emails sent from the account for any messages you don’t recognize.

Check with your finance team for any payment change requests received in the last two weeks.

Report the incident to the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov if financial fraud occurred — this creates a documented record that can help with recovery efforts.