Phishing Attack in Iran Imitates Google, Outlook, and Yahoo Domains

In a striking example of the evolving landscape of cyber warfare, Iranian state-linked hackers have launched a highly sophisticated global spear-phishing campaign targeting high-profile individuals, especially in Israel, but with a footprint far broader in scope.

Known as Educated Manticore (also tracked as APT42, Charming Kitten, and Mint Sandstorm), this group is closely associated with Iran’s Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization.

Recent activity, detailed by Check Point Research, demonstrates a worrying escalation in both tactics and reach, coinciding with increased geopolitical tensions between Israel and Iran.

The campaign is characterized by the systematic use of over 100 custom-built phishing domains designed to mimic well-known services, including Google, Outlook, and Yahoo.

Attackers create convincing fake login pages and meeting invitation portals, using advanced web development frameworks to mirror legitimate interfaces.

Victims are lured via email and private messaging apps such as WhatsApp, where they are directed to these fake pages.

One hallmark of this operation is the use of fictitious personas, often posing as Israeli academics, diplomats, or tech professionals, to maximize credibility and response rates.

Technical Innovation and Social Engineering Tactics

What sets this campaign apart is the attacker’s ability to bypass two-factor authentication (2FA), a key security feature for most high-value targets.

Through a combination of social engineering and technical trickery, the group tricks victims into providing not only their passwords but also two-factor authentication (2FA) codes, facilitating a complete account takeover.

The phishing flow involves pre-populating victims’ email addresses on counterfeit login screens, further enhancing the illusion of legitimacy.

In some cases, attackers even propose physical meetings, such as an invitation to meet in Tel Aviv, potentially signaling a willingness to move beyond purely digital espionage.

The impersonation methods are highly tailored and adaptive. Attackers may pose as representatives from major Israeli firms, the Prime Minister’s Office, or international organizations.

Their communications are typically grammatically correct and formally structured, suggesting possible use of AI-driven writing assistance. However, minor inconsistencies, such as slight misspellings of names, can serve as red flags for vigilant recipients.

Broad Impact and Urgent Recommendations

The campaign’s targets span academia, journalism, and the geopolitical sphere, with prominent Israeli computer science academics, cybersecurity researchers, and journalists among those affected.

However, Educated Manticore has a documented history of global operations, having previously impersonated major media outlets, including The Washington Post, The Economist, and Khaleej Times, to target journalists and researchers worldwide, particularly in regions aligned with Iran’s strategic interests.

Check Point Research and security agencies, such as the FBI and DHS, warn that this campaign is ongoing and highly adaptive.

Individuals and organizations in high-risk sectors are advised to verify the identity of unknown contacts through trusted channels, scrutinize all links before entering credentials, and remain vigilant against requests for two-factor authentication (2FA) codes.

Moreover, all suspicious communications should be reported to internal security teams immediately.

Check Point’s solutions, including Harmony Email and Collaboration and Zero Phishing, are designed to detect and block such targeted attacks. Still, awareness and proactive security practices remain critical in mitigating risk.