On Friday, the FBI and the UK’s National Cyber Security Centre (NCSC), along with other federal and international partners, published a joint Cybersecurity Advisory titled “Iranian Cyber Actors Targeting Personal Accounts to Support Operations”. The advisory highlights the continued malicious cyber activity by cyber actors working on behalf of the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) and draws attention to a spear phishing campaign carried out by these threat actors.

The malicious activity primarily focuses on individuals linked to Iranian and Middle Eastern affairs. The advisory indicates that threat actors have been observed impersonating contacts on email and messaging platforms, fostering a relationship with their targets before attempting to extract user credentials through a fake email account login page. While these represent very targeted attacks, the recommendations provided by the authoring agencies are applicable across all sectors and organizations. Below are the mitigations taken from the advisory provided here for convenience. Access the full joint Advisory at ic3.gov.

Social Engineering/Spoofing

• Be suspicious of unsolicited contact from any individual you do not know personally or contact from people you may know but are claiming to be using new accounts or phone numbers.
• Be suspicious of attempts to pass links or files via social media from anyone you do not know or from people you know who are using new accounts or phone numbers.
• Be suspicious of unsolicited requests to share files via online services, especially from people you do not know or people with whom you typically do not share files in this manner.
• Be suspicious of email messages conveying suspicious alerts for online accounts, including login notifications from foreign countries or other alerts indicating attempted unauthorized access to your accounts. FBI recommends logging into your accounts directly (versus using a link to do so) to review alerts.
• Be suspicious of emails purporting to be from legitimate online services (i.e. the images in the email appear to be slightly pixelated and/or grainy, language in the email seems off, sender email address looks suspicious, messages originate from an IP not attributable to that provider/company, etc.).
• Be suspicious of unsolicited email messages that contain shortened links (i.e. via tinyurl, bit.ly, etc.).
• Refer to the guides in Appendix A for detecting malicious actor email rules enabling autoforwarding or fetching from compromised email accounts.

Enterprise Mitigation

• Implement a user training program with phishing exercises to raise and maintain awareness among users about risks of visiting malicious websites or opening malicious attachments.
• Reinforce the appropriate user response to phishing and spear-phishing emails. Cyber hygiene awareness for personal accounts and company accounts is strongly recommended.
• Recommend using only official email accounts for official business, updating software, avoiding clicking on links or opening attachments from suspicious emails before confirming their authenticity with the sender, and turning on multi-factor authentication to improve online security and safety.
• Recommend users consider advanced account protection services and hardware security keys.
• Enable anti-phishing and anti-spoofing security features that block malicious email.
• Prohibit automatic forwarding of email to external addresses.
• Frequently monitor the company email server for changes in configuration and custom rules for specific accounts.
• Add an email banner to messages coming from outside your organization.
• Ensure changes to mailbox login and settings are logged and retained for at least 90 days.
• Enable alerts for suspicious activity, such as foreign IP address logins.
• Configure Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting and Conformance to prevent spoofing and validate email.
• When available, use single sign on with either Passkeys, alternate Fast Identity Online (FIDO) authenticators, or Single Sign On backed by a phishing-resistant multi-factor authentication.
• Protect email in transit by enabling Transport Layer Security (TLS).