Iranian Hackers Exploit 100+ Embassy Email Accounts in Global Phishing Targeting Diplomats - The Hacker News

Iranian Hackers Exploit 100+ Embassy Email Accounts in Global Phishing Targeting Diplomats Ravie LakshmananSep 03, 2025Data Breach / Cyber Espionage An Iran-nexus group has been linked to a "coordinated" and "multi-wave" spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world. The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity undertaken by a group known as Homeland Justice. "Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication," the company said. "Evidence points toward a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension." The attack chains involve the use of spear-phishing emails with themes related to geopolitical tensions between Iran and Israel to send a malicious Microsoft Word that, when opened, urges recipients to "Enable Content" in order to execute an embedded Visual Basic for Applications (VBA) macro, which is responsible for deploying the malware payload. The email messages, per Dream, were sent to embassies, consulates, and international organizations across the Middle East, Africa, Europe, Asia, and the Americas, suggesting that the activity cast a wide phishing net. European embassies and African organizations are said to have been the most heavily targeted. The digital missives were sent from 104 unique compromised addresses belonging to officials and pseudo-government entities to give them an extra layer of credibility. At least some of the emails originated from a hacked mailbox belonging to the Oman Ministry of Foreign Affairs in Paris (*@fm.gov.om). "The lure content consistently referenced urgent MFA communications, conveyed authority, and exploited the common practice of enabling macros to access content, which are the hallmarks of a well-planned espionage operation that deliberately masked attribution," Dream said. The end goal of the attacks is to deploy using the VBA macro an executable that can establish persistence, contact a command-and-control (C2) server, and harvest system information. Cybersecurity company ClearSky, which also detailed some aspects of the campaign late last month, said the phishing emails were sent to multiple ministries of foreign affairs. "Similar obfuscation techniques were used by Iranian threat actors in 2023 when they targeted Mojahedin-e-Khalq in Albania," it said in a post on X. "We assess with moderate confidence that this activity is linked to the same Iranian threat actors." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cyber espionage, cybersecurity, data breach, macros, Malware, Microsoft Word, Phishing Trending News ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Popular Resources Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Identity Controls Checklist: Find Missing Protections in Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026