Microsoft-themed phishing attacks are getting more targeted, and this one appears to be going after the people with the most access. Today, we’re looking at a newly reported campaign aimed at business executives and what organizations should do next as we sit down and sync up with Rocket IT’s weekly technology update.

In this episode, you’ll hear more about:

• A newly reported phishing campaign using fake Microsoft SharePoint notifications
• How attackers are targeting CEOs, CFOs, and other business leaders
• What VENOM is and why it makes phishing attacks more convincing
• Why the campaign uses QR codes to push victims to mobile devices
• What attackers are trying to steal once someone interacts with the message
• Why this type of phishing can be harder to spot than traditional scams

Video Transcript

Attackers are using a phishing platform called VENOM to target senior leaders like CEOs, CFOs, and vice presidents. VENOM is what security researchers call a phishing-as-a-service platform, which basically means it gives attackers a ready-made system for launching more advanced phishing campaigns. In this case, the messages are designed to look like normal Microsoft SharePoint file-sharing notifications, which helps them blend in with everyday business activity.

What makes this campaign stand out is how personal it is. These emails are aimed at specific people by name, and they can even include fake email conversations to make the message feel more believable. The attacker also uses a QR code, pushing the target to open the scam on a phone instead of a computer. That matters because it moves the attack to a device where it can be easier to act quickly and harder to inspect what is really being opened.

If the person scans that code, they can be sent to a fake Microsoft sign-in experience built to steal usernames, passwords, security codes, and ongoing access to the account. Researchers say the attackers also use another tactic that tricks the victim into approving sign-in access for a rogue device. Either way, the goal is not just to get in once. It is to stay in.

This campaign was first reported by the security company Abnormal. According to Abnormal, the operation has been active since at least November 2025 and appears to be closed-access, meaning it has not been openly advertised on public channels or underground forums. That may be one reason it has stayed less visible so far.

Whether it spreads further is hard to say, but this is the kind of threat businesses should pay attention to now. It is targeted, it is believable, and it is aimed at people who often have access to sensitive company information.

The bigger takeaway is simple. Phishing emails are getting more convincing, and even familiar Microsoft notifications can be used as the disguise. A message that looks routine can still be part of an account takeover attempt.

Abnormal says basic sign-in protections alone are not always enough in cases like this. Their recommendation is to use stronger sign-in methods, turn off sign-in options your business does not need, and tighten account access rules so it is harder for attackers to keep control once they get in.

That is where an IT partner can assist. Rocket IT helps businesses review Microsoft security settings, strengthen protections around executive accounts, and put practical safeguards in place before phishing attacks turn into larger business problems. For help, contact Rocket IT using the link in this video’s description. And to stay up to date on trending technology news, hit that subscribe button and the bell to catch us on next week’s episode of Sync Up with Rocket IT.