Iranian Hackers Exploit 100+ Embassy Email Accounts in Global Phishing Campaign

A new cyber-espionage campaign has come to light, this time linked to hackers connected with Iran. Security researchers discovered that attackers compromised more than 100 embassy and government email accounts to target diplomats around the world. By abusing official mailboxes, the hackers were able to make their phishing messages look completely authentic.

Investigators found that the operation used a real email account from the Oman Ministry of Foreign Affairs located in Paris. This mailbox was hijacked and then used to send out carefully crafted emails to other diplomatic missions. Since the messages came from a trusted government domain, many recipients were more likely to open them without suspicion.

The emails contained malicious Microsoft Word attachments disguised as official diplomatic documents. Some looked like registration forms, while others appeared to be urgent notices from ministries. When recipients opened these files and clicked “Enable Content,” the hidden malware was quietly installed on their computers. This gave attackers a backdoor into sensitive government systems.

Dream Security, the firm that analyzed the campaign, said that its research included a dataset of 270 emails. Out of these, they identified 104 unique compromised accounts being used as part of the phishing infrastructure. These accounts allowed the attackers to send harmful documents to a wide range of embassies, consulates, and international organizations.

The targeting was broad and global. Many embassies in Europe and Africa were hit, including those in countries such as France and Italy. The campaign also extended to Asia and the Americas, proving that the hackers were not focusing on a single region but instead casting a wide net across multiple continents.

The technical side of the attack was fairly advanced. The infected Word files carried long numeric strings that were secretly decoded into executable files. These files were written to the victim’s system under harmless-looking names such as “.log” files, then executed silently. Once running, the malware attempted to stay hidden, collect system information, and communicate with a remote command-and-control server.

Researchers believe this campaign is tied to an Iranian-aligned group referred to as “Homeland Justice,” which has connections to Iran’s Ministry of Intelligence and Security (MOIS). The hackers tried to cover their tracks by routing their emails through VPN services, making it difficult to trace the real source of the attack.

The risk of such a campaign goes far beyond malware infections. By controlling embassy and government mailboxes, attackers could impersonate diplomats, intercept confidential conversations, and spread disinformation. This kind of operation threatens trust between nations and could disrupt sensitive diplomatic negotiations.

Security experts are warning organizations to be extra cautious. They recommend disabling automatic execution of macros in Microsoft Office, since this remains one of the most common infection paths. Multi-factor authentication should be mandatory for government and embassy email accounts to make it harder for attackers to hijack them. Regular monitoring for suspicious outbound traffic can also help detect compromised systems early.

This incident is another reminder that cyberattacks do not always rely on the most complex tools. Instead, they often succeed by exploiting human trust. When emails come from real government addresses, even experienced diplomats can be tricked into opening them. With over 100 embassy accounts already compromised, the scale of this campaign shows just how effective social engineering combined with technical skill can be.

As the investigation continues, it highlights the importance of strong cyber hygiene across all government organizations. Regular training, rapid patching, and constant vigilance are the only ways to reduce the success of such campaigns. This case once again proves that diplomacy has now fully entered the digital battlefield, where state-backed hackers are always looking for the next opportunity.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news