Iranian Hackers Exploit 100+ Embassy Email Accounts in Global Phishing Targeting Diplomats

Sep 03, 2025Ravie LakshmananData Breach / Cyber Espionage

An Iran-nexus group has been linked to a “coordinated” and “multi-wave” spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world.

The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity undertaken by a group known as Homeland Justice.

“Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication,” the company said. “Evidence points toward a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension.”

The attack chains involve the use of spear-phishing emails with themes related to geopolitical tensions between Iran and Israel to send a malicious Microsoft Word that, when opened, urges recipients to “Enable Content” in order to execute an embedded Visual Basic for Applications (VBA) macro, which is responsible for deploying the malware payload.

The email messages, per Dream, were sent to embassies, consulates, and international organizations across the Middle East, Africa, Europe, Asia, and the Americas, suggesting that the activity cast a wide phishing net. European embassies and African organizations are said to have been the most heavily targeted.

The digital missives were sent from 104 unique compromised addresses belonging to officials and pseudo-government entities to give them an extra layer of credibility. At least some of the emails originated from a hacked mailbox belonging to the Oman Ministry of Foreign Affairs in Paris (*@fm.gov.om).

“The lure content consistently referenced urgent MFA communications, conveyed authority, and exploited the common practice of enabling macros to access content, which are the hallmarks of a well-planned espionage operation that deliberately masked attribution,” Dream said.

The end goal of the attacks is to deploy using the VBA macro an executable that can establish persistence, contact a command-and-control (C2) server, and harvest system information.

Cybersecurity company ClearSky, which also detailed some aspects of the campaign late last month, said the phishing emails were sent to multiple ministries of foreign affairs.

“Similar obfuscation techniques were used by Iranian threat actors in 2023 when they targeted Mojahedin-e-Khalq in Albania,” it said in a post on X. “We assess with moderate confidence that this activity is linked to the same Iranian threat actors.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!