{
	"id": "a2e658f9-94e8-4510-87d8-d4e64807fdc5",
	"created_at": "2026-04-06T00:21:41.275423Z",
	"updated_at": "2026-04-10T03:30:33.721762Z",
	"deleted_at": null,
	"sha1_hash": "5cdd0fd523469ea4ea82fa00920753be623910d5",
	"title": "Evolving Phishing Attacks Targeting Journalists and Human Rights Defenders from the Middle-East and North Africa",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1270880,
	"plain_text": "Evolving Phishing Attacks Targeting Journalists and Human\r\nRights Defenders from the Middle-East and North Africa\r\nPublished: 2019-08-16 · Archived: 2026-04-05 19:24:25 UTC\r\nIn December 2018, Amnesty International documented widespread targeted phishing attacks against human rights\r\ndefenders (HRDs) in the Middle-East and North Africa, in the report “When Best Practice Isn’t Good Enough”.\r\nThat report documented how attackers had specifically developed techniques to target HRDs who had taken extra\r\nsteps to secure their online accounts, such as by using more secure, privacy-respecting email providers, or\r\nenabling two-factor authentication on their online accounts.\r\nFollowing this, in July 2019, HRDs again shared with Amnesty International numerous new malicious emails they\r\nhad received, that revealed a renewed campaign of targeted phishing we believe to be orchestrated by the same\r\nattackers or by a closely related group.\r\nWhat is phishing?\r\nCredentials phishing (or “Password-Stealing Phishing”) consists in the creation of a website that imitates the login\r\nprompt of a given online service, such as Gmail or Facebook, with the objective of luring a victim into visiting the\r\nmalicious page and entering their username and passwords, thereby transmitting these credentials to the attackers.\r\nCredentials phishing remains a critical threat to HRDs online. Because of its simplicity and relatively low\r\neconomic cost, phishing is a favorite tactic among attackers, and we regularly observe targets in the hundreds if\r\nnot thousands. However, credential phishing is not always simple, and these new attacks – like those we\r\ndocumented previously – have taken novel steps to overcome security measures that targets take. As credentials\r\nphishing schemes evolve and improve, mitigations as well as security education need to improve too.\r\nIn this report we describe the improved techniques utilized by the attackers, which once more demonstrate their\r\nability to adapt to changes in the technological landscape, and respond to the latest online accounts authentication\r\nand security best practices by developing workarounds.\r\nFirst Tactic – Good old “Reset your Password” revisited\r\nAmong the most popular social engineering tricks used in credentials phishing campaigns, the “Reset your\r\nPassword” bait is an evergreen. In this latest campaign, for example, the attackers sent out emails to their targets\r\nimpersonating Google and pretending to alert them of unsuccessful suspicious login attempts, and offering to\r\nsecure the accounts. These emails play on urgency and fear, and their aim is to lure the targets into giving away\r\ntheir credentials, believing their passwords are instead being reset by Google.\r\nIn this latest campaign, the attackers took extra care to make sure both the malicious emails and the phishing\r\npages appear as credible as possible. Indeed, these attacks can be very difficult to recognize.\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 1 of 25\n\nExample of a phishing email shared with Amnesty International.\r\nIn fact, the button that some of these malicious emails solicit the target to click points to a legitimate Google\r\ndomain, accounts.google.com:\r\nhttps://accounts.google.com/Login?\r\nservice=blogger\u0026hl=en_US\u0026continue=https://script.google.com/macros/s/[REDACTED]/exec?z=[REDACTED]\r\nHere, the attackers are abusing a redirection procedure used by Google in order to first direct the targets to a\r\nlegitimate Google page.\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 2 of 25\n\nScreenshot of the legitimate Google login page used as a decoy, which then redirects to the actual\r\nphishing page.\r\nThis is in fact the original Google login prompt and it serves no other function to the attacker, other than to make\r\nthe link in the email appear legitimate and make the procedure more credible. After having logged in (if the target\r\nwasn’t logged in already), the target is subsequently redirected to the fake password change form that, if filled,\r\nwill grant the attackers access to the victim’s account.\r\nAnother technique the attackers used in this case is to present the phishing pages directly on legitimate Google\r\ninfrastructure. For example, we can see in the screenshot below that the fake password change form is hosted\r\nat script.google.com.\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 3 of 25\n\nScreenshot of the phishing page displaying a fake password reset form.\r\nOn other occasions, the attackers have hosted the malicious page on site.google.com. These two legitimate\r\nGoogle services (script.google.com and site.google.com) allow Google users to create and host web content and\r\napplications. Here the attackers are abusing this service to load phishing pages impersonating Google. Tech-savvy\r\ntargets, who perhaps received security trainings, might be suspicious of domain names in the browser’s address\r\nbar that do not look legitimate. By using this trick, even these relatively security-conscious targets may be fooled\r\ninto believing the phishing pages are legitimate.\r\nAs highlighted in the screenshot above, the only visible warning this page is fake (other than the domain itself not\r\nbeing accounts.google.com or myaccount.google.com, but script.google.com) is the message Google displays at\r\nthe top “This application was created by another user, not by Google.”\r\nSimilarly to the attacks described in our report from December 2018, this particular phishing system is also\r\ncapable of verifying the login credentials and phishing for two-factor verification codes as well.\r\nIn this case, using Security Keys would help mitigate the attacks where other forms of two-factor authentication\r\ngenerally would not.\r\nSecond Tactic – Outlook Phishing Using Malicious Third-Party Applications\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 4 of 25\n\nInstead of creating fake login pages or fake password reset forms and grabbing the credentials to the targets’\r\naccounts, attackers sometimes make use of what is commonly referred to as “OAuth Phishing”.\r\nOAuth is a Web standard used to allow authentication over third-party services without the need of sharing\r\npasswords. It is commonly used by legitimate applications developer to permit the connection between their\r\nsoftware to existing online accounts. For example, a calendar application might want to be able to automatically\r\nextract  your hotel and flights booking from your Outlook account. Or, an email client (as we will see later) might\r\nwant to allow you to connect to your Gmail account.\r\nAttackers use the same architecture to instead create malicious third-party applications and attempt to lure the\r\ntargets into granting the applications access to their accounts. Therefore, with OAuth Phishing, attackers do not\r\nneed to steal credentials: they simply abuse legitimate functionality that online platforms – such as Google,\r\nMicrosoft or Facebook – provide. Because the authentication to the account happens on the legitimate site, no\r\nform of two-factor authentication – including Security Keys – can mitigate against this. Targets can only be alert\r\nof any clues or warnings visible in the malicious emails or in the service’s login procedure. Normally, tech\r\ncompanies would eventually discover the malicious third-party application and disable it.\r\nWe have previously encountered and described this technique in our report Phishing attacks using third-party\r\napplications against Egyptian civil society organizations from March 2019, targeting Google users.\r\nIn this campaign, the attackers have similarly created malicious third-party applications in order to conduct OAuth\r\nPhishing against Microsoft Outlook users instead. As shown in the images below, attackers have crafted malicious\r\nemails impersonating Microsoft, falsely warning of suspicious login attempts on the victim’s accounts and\r\noffering to “secure” them.\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 5 of 25\n\nExample of an Outlook phishing email shared with Amnesty International (note the mis-spelling of\r\n“United States” – one of the few visual clues that this is not a legitimate notification).\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 6 of 25\n\nClicking on the link contained in the email would eventually lead to this legitimate Microsoft page asking\r\nconfirmation for the activation of the third-party app “Hotmail Security Defender” on the account, warning that\r\nit would be capable of reading all emails and contacts. In other variants of this attack, the third-party app was\r\ncalled “Outlook Security Defender”.\r\nScreenshot of Outlook authorization page for the attackers’ malicious third-party app.\r\nIn order to verify if you have any unwanted third-party applications enabled, you should visit\r\nhttps://microsoft.com/consent. If you fell victim of this particular attack you would have seen something like this:\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 7 of 25\n\nScreenshot of a Microsoft account settings page displaying the authorized malicious third-party app.\r\nWe have reported these malicious applications to Microsoft, who promptly removed them.\r\nThird Tactic – Google Phishing Abusing Legitimate Third-Party Applications\r\nDue to the common abuse the abuse of the OAuth web standard, Google announced in October 2018 that it will\r\napply new,  stringent policies on the verification and approval of third-party applications.\r\nPerhaps because of these new policies, the attackers devised a new OAuth Phishing technique that we had not\r\npreviously observed. While in most OAuth Phishing cases, as explained, attackers normally create malicious\r\nthird-party applications designed to steal data (such as emails) from targets’ accounts, in this latest campaign, they\r\nhave, instead, started abusing  the authentication procedure employed by legitimate and verified third-party\r\napplications. In the attacks we have collected from the Human Rights Defenders who shared the malicious emails\r\nwith us, the attackers have specifically been abusing a legitimate and popular email client application called\r\nMailspring.\r\nMailspring supports various email services, including Gmail.\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 8 of 25\n\nScreenshot of Mailspring’s configuration wizard.\r\nIn order to allow the desktop or mobile apps to connect to a Gmail account, Mailspring also makes use of the\r\nOAuth standard. Google offers four OAuth options to desktop and mobile app developers, and while the\r\nMailspring developers use the recommended one (“Loopback IP address”), the attackers figured out that by\r\nabusing another available option (“Manual copy/paste”) together with the publicly available Client ID of the\r\nMailspring application account, they could obtain access tokens to victims’ accounts (and avoid needing a client\r\nsecret or an authorized redirect URL).\r\nFollowing is a break-down of this particular attack.\r\nStep 1: “Advanced Protection” as a bait\r\nThe malicious emails we collected carry links to websites controlled by the attackers, such as srf-google[.]de ,\r\ngmailusercontent[.]site and  protect-outlook[.]com.\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 9 of 25\n\nScreenshot of a phishing email shared with Amnesty International.\r\nAs we previously documented in our report from December 2018, these attackers are particularly dedicated to\r\nattacking privacy-conscious users. In this more recent campaign of attacks, the phishing pages are designed to\r\nappear as legitimate Google sites, and the bait appears to reference the Google Advanced Protection program,\r\nwhich is a secure authentication program Google markets particularly to journalists, NGOs and other at-risk\r\nindividuals.\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 10 of 25\n\nThe page pretends to offer the ability to set up security codes to protect the account. As you can see, the\r\ninstructions provided in the page specifically solicit the targets to grant access to the “protection app” called\r\nMailspring.\r\nScreenshot of the phishing page. \r\nStep 2: Login with Mailspring\r\nThe “Get security code” button leads to a valid Google login configured with the “Manual copy/paste” option for\r\nMailspring’s OAuth account.\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 11 of 25\n\nOriginal screenshot in Arabic of the Google authorization page to enable Mailspring on the account.\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 12 of 25\n\nSame screenshot as above, in English.\r\nStep 3: Obtain the token to copy\r\nOnce authenticated, Google presents a token that can be copied and pasted in the third-party application, which\r\nshould have been the legitimate Mailspring, but is, instead,  the phishing page set up by the attackers.\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 13 of 25\n\nScreenshot of the authorization token generated by Google for Mailspring.\r\nStep 4: Paste the token in the phishing page\r\nAt this point, the phishing page shows a form that solicits the token that was just generated. If the token is\r\nsubmitted, the attackers will be able to use it to get access to the user’s email account and read the content of their\r\nemails.\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 14 of 25\n\nForm from the phishing page requesting the authorization token.\r\nChecking the Security page on your Google account would display any third-party application enabled on it. In\r\nthis case, Mailspring would appear in the list.\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 15 of 25\n\nScreenshot of a Google account settings with Mailspring enabled.\r\nIf you have never been a user of Mailspring before, this might be a sign of compromise. If you are a current or\r\npast Mailspring user, you should see the same record, but it wouldn’t be anything to worry about.\r\nThis is the first time we see attackers abuse legitimate third-party applications, and, through their Google\r\naccounts, leverage less secure OAuth options to steal authentication tokens and gain access to victims’ emails.\r\nObviously, while it is possible for Google to identify and disable malicious third-party applications, they cannot\r\ndisable legitimate ones. Mailspring, for instance, accounts for tens of thousands of users. Following the discovery\r\nof this malicious use, we immediately got in contact with the Mailspring developers who promptly answered and\r\ncooperated with us to investigate and try to resolve this attack. We reported these attacks to Google, and the\r\nmalicious infrastructure is now blocked through SafeBrowsing.\r\nHow to protect yourself from these attacks?\r\nAs this latest campaign demonstrates, it can be very difficult to identify phishing attacks and protect yourself from\r\nthem. Currently, the most reliable mitigation against phishing are Security Keys. This is further discussed in our\r\nprevious report  When Best Practice Isn’t Good Enough.\r\nOAuth Phishing appears to be on the rise, probably in response to the decreasing success rate of other tactics.\r\nUnfortunately, two-factor authentication is not really intended as a mitigation against this kind of attack. Always\r\nbe alert when you receive a request to authorize a third-party application on your account!\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 16 of 25\n\nIf you want to read more about phishing and its countermeasures, please check out Security Without Borders’\r\nGuide to Phishing.\r\nIf you believe you have been targeted with attacks similar to the ones described here, you can share with us your\r\nsuspicious messages and links here:\r\nAppendix: Screenshots of Phishing Emails\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 17 of 25\n\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 18 of 25\n\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 19 of 25\n\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 20 of 25\n\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 21 of 25\n\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 22 of 25\n\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 23 of 25\n\nTechnical Appendix\r\nFollowing are the domain names associated with this campaign:\r\nsrf-goolge[.]site\r\ngmailusercontent[.]site\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 24 of 25\n\nprotect-outlook[.]com\r\nThe IP address hosting the malicious infrastructure is:\r\n95.217.60[.]161\r\nFollowing are the email addresses used in phishing emails:\r\nadmin[@]microsoftstore.com\r\ngoogle.com[@]localhost\r\ngoogle[@]script\r\nnoreply750[@]mailgoogle.ccm\r\nnoreply[@]gmailusercontent.site\r\nnoreply[@]mailgoogle.ccm\r\ngooglecommunityteam-noreply[@]srf-goolge.site\r\nnoreply-accounts[@]goolge.cm\r\nnoreply[@]accounts-goolge.com\r\nnoreply[@]accounts-goolgeemail.site\r\naccounts-noreply[@]google.ccm\r\nnoreply-accounts[@]google.ccm\r\nalerts[@]valabs.info\r\ngoogle[@]noreply-accounts.com\r\nno-reply[@]goolge.email\r\nSource: https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nhttps://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/"
	],
	"report_names": [
		"evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434901,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5cdd0fd523469ea4ea82fa00920753be623910d5.pdf",
		"text": "https://archive.orkl.eu/5cdd0fd523469ea4ea82fa00920753be623910d5.txt",
		"img": "https://archive.orkl.eu/5cdd0fd523469ea4ea82fa00920753be623910d5.jpg"
	}
}