EXECUTIVE SUMMARY
Multiple threat actors, including TA453, TA473, TA402, and newly identified clusters, are exploiting the Iran conflict as a social-engineering theme to conduct targeted phishing campaigns. These campaigns primarily target government, diplomatic, and policy organizations across the Middle East and Europe. The threat actors leverage war-themed lures, compromised government email accounts, trusted cloud platforms, and credential-harvesting pages to obtain sensitive credentials and facilitate follow-on attacks, including the deployment of tools such as Cobalt Strike and custom backdoors.
- Active Region: Middle East, Europe, and selected targets in South Asia
- Affected Sector: Government, Diplomatic Entities, Policy Organizations, Think Tanks, with potential expansion to affiliated institutions.
- Affected Product: Microsoft Outlook Web App (OWA), OneDrive, Email platforms, Windows endpoints
- Severity: High
- Published Date: March 13, 2026
TECHNICAL DETAILS
- Target: Government entities, diplomatic missions, policy organizations, and think tanks operating in or focused on geopolitical developments in the Middle East and Europe. Additional targets may include affiliated institutions involved in regional research, policy advisory, or international relations activities.
- Root Cause: The campaign relies primarily on social engineering and phishing techniques combined with the abuse of trusted cloud services. Attackers impersonate government officials or legitimate organizations to distribute malicious links or attachments designed to harvest credentials or execute malware.
- Prerequisite for Exploitation: Successful exploitation requires user interaction with a phishing email or malicious attachment. This may include opening a malicious archive……
