Iran Spear-Phishers Hijack Email Conversations in New Campaign
Check Point security has discovered a new state-backed phishing operation perpetrated by the Iranian Phosphorus APT group. The campaign is primarily targeting high-ranking Israeli and US officials. Historically, Phosphorus APT has been targeting Israeli officials such as deputy Prime Minister Tzipi Livni, a former major general in the Israeli Defense Forces, and a US ambassador to Israel since its creation in 2017. The group uses similar methodology amongst its attacks, such as compromising an inbox belonging to a frequent contact of the target. Then, the group deploys social engineering tactics to continue communication between the two.
The attacker creates a spoofed email address that appears to belong to the contact whose email was initially compromised. Check Point stated that real documents are occasionally lifted from the legitimate address in order to establish trust and add relevance to the scam. Check Point explains that the most sophisticated part of the operation is the level to which the attackers are able to use social engineering tactics. Microsoft previously claimed to have disrupted the operations of the Phosphorus group, also known as Charming Kitten, however, it appears as though the group is back in operation.