An Iran-nexus group conducted a coordinated spear-phishing campaign targeting embassies and consulates worldwide, exploiting over 100 compromised email accounts to disguise malicious communications as legitimate diplomatic correspondence.
Israeli cybersecurity researchers attributed the campaign to Iranian-aligned operators connected to a group known as Homeland Justice. The attackers sent spear-phishing emails to embassies, consulates, and international organizations across the Middle East, Africa, Europe, Asia, and the Americas, with European embassies and African organizations being the most heavily targeted. The emails were sent from 104 unique compromised addresses belonging to officials and pseudo-government entities, including at least one hacked mailbox from the Oman Ministry of Foreign Affairs in Paris. The attack chains used malicious Microsoft Word documents with geopolitical themes related to Iran-Israel tensions, containing Visual Basic for Applications (VBA) macros that deploy malware payloads when recipients enable content.
The attack methodology involved several elements:
According to The Hacker News, "Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication," and noted that "Evidence points toward a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension."
They further explained, "The lure content consistently referenced urgent MFA communications, conveyed authority, and exploited the common practice of enabling macros to access content, which are the hallmarks of a well-planned espionage operation that deliberately masked attribution."
Spear-phishing is a targeted form of phishing that uses personalized messages to deceive specific individuals or organizations into divulging sensitive information or installing malware. Unlike broad phishing campaigns, spear-phishing attacks are carefully crafted to appear legitimate by referencing specific organizational details, current events, or relationships. VBA macros are small programs embedded in Microsoft Office documents that can automate tasks but are frequently exploited by cybercriminals to execute malicious code when users enable them.
Targeting diplomatic communications poses risks to international relations and national security, as sensitive diplomatic correspondence and intelligence could be intercepted or manipulated.
This coordinated campaign shows the vulnerability of diplomatic communications infrastructure and the tactics employed by state-sponsored actors. Organizations handling sensitive diplomatic correspondence must implement email security measures, including advanced threat protection, user training on macro risks, and multi-factor authentication to prevent account compromises that can be weaponized for broader espionage operations.
They can use digital signatures, DKIM verification, and out-of-band confirmation channels to validate legitimacy.
Macros remain useful for automating workflows in diplomatic and administrative environments, making them harder to phase out.
They are external systems used by attackers to remotely manage infected devices and extract stolen data.
Attackers tailor malicious content around current crises or disputes to increase credibility and urgency.
Yes, hijacked accounts could send manipulated information to influence international negotiations or media narratives.