Iranian Spear-Phishing Attack Impersonates Google, Outlook, and Yahoo Domains

Check Point Research has uncovered a renewed global spear-phishing campaign orchestrated by the Iranian threat actor Educated Manticore, also known as APT42, Charming Kitten, and Mint Sandstorm.

Linked to the IRGC Intelligence Organization, this group has intensified its operations amid growing Iran-Israel tensions, targeting high-value individuals with meticulously crafted attacks.

The campaign, which has seen a surge in activity over the past few days, focuses on credential theft and bypassing multi-factor authentication (MFA) through advanced social engineering tactics, posing a significant risk to academics, journalists, and geopolitical figures.

Campaign Targets High-Profile Individuals

The current wave of attacks primarily targets prominent Israeli figures, including leading computer science academics, cybersecurity researchers, and journalists covering intelligence and geopolitical topics.

However, Educated Manticore’s historical operations reveal a far broader scope, with past impersonations of international media outlets like The Washington Post, The Economist, and Khaleej Times to deceive targets across regions aligned with Iran’s strategic interests.

Over 100 phishing domains have been registered as part of this campaign, mimicking legitimate services such as Google, Outlook, Yahoo, and event scheduling platforms like Google Meet, though these links have since been blocked.

Advanced Phishing Techniques

The attackers employ a multi-channel approach to establish trust, initiating contact via email or private messaging apps like WhatsApp.

Once engaged, victims are directed to fake login pages often pre-filled with their email addresses or fraudulent Google Meet invitations hosted on phishing domains.

According to Check Point research Report, these pages leverage sophisticated web development frameworks to replicate authentic login flows, making them difficult to distinguish from legitimate services.

In a particularly insidious move, the group uses social engineering to bypass 2FA, tricking victims into sharing verification codes and enabling full account takeover.

A notable case involved a target receiving a WhatsApp message proposing an in-person meeting in Tel Aviv, hinting at potential real-world implications beyond cyberspace.

The impersonation tactics are highly tailored, ranging from posing as mid-level employees at major Israeli firms to mimicking staff from the Prime Minister’s Office or professionals tied to well-known tech companies.

Emails are often grammatically flawless and formally structured, possibly aided by AI tools, though subtle errors like minor name misspellings can serve as red flags for the vigilant.

Check Point Research warns that this evolving campaign represents a serious threat to sectors like academia, policy, and media.

Individuals are urged to exercise extreme caution with unsolicited meeting invitations or communications, even from seemingly credible sources.

As Iranian cyber operations expand in sophistication and scope, staying vigilant against such targeted spear-phishing attacks is more critical than ever.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates