Iranian cybercriminals compromise over 100 diplomatic email accounts

An Iran-nexus group has been linked to a “coordinated” and “multi-wave” spear-phishing campaign targeting embassies and consulates across Europe and other regions globally. This activity has been attributed to Iranian-aligned operators associated with a group known as Homeland Justice, as reported by Israeli cybersecurity company Dream. The campaign involved sending emails that disguised legitimate diplomatic communications, indicating a broader regional espionage effort aimed at governmental entities during heightened geopolitical tensions. The spear-phishing emails, themed around the geopolitical strife between Iran and Israel, contained malicious Microsoft Word documents that prompted recipients to “Enable Content” to execute an embedded Visual Basic for Applications (VBA) macro, which deployed the malware payload.

The phishing emails were sent to embassies, consulates, and international organisations across the Middle East, Africa, Europe, Asia, and the Americas, with European embassies and African organisations being the most heavily targeted. These digital communications originated from 104 unique compromised addresses belonging to officials and pseudo-government entities, including a hacked mailbox from the Oman Ministry of Foreign Affairs in Paris. The lure content referenced urgent Ministry of Foreign Affairs communications, exploiting the common practice of enabling macros, which are hallmarks of a well-planned espionage operation designed to mask attribution. Cybersecurity company ClearSky noted that similar obfuscation techniques were previously used by Iranian threat actors in 2023, linking this activity to the same group.