{ "id": "200f5215-00e7-4719-89d6-c2c2de759112", "created_at": "2026-04-06T00:09:13.427727Z", "updated_at": "2026-04-10T13:11:36.630516Z", "deleted_at": null, "sha1_hash": "a7ac1e161a9d8d56b361437560026356b7054a19", "title": "Iranian Spear Phishing Operation Targets Former Israeli Foreign Minister, Former US Ambassador to Israel, Former Israeli Army General and Three other High-Profile Executives", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 70178, "plain_text": "Iranian Spear Phishing Operation Targets Former Israeli Foreign\r\nMinister, Former US Ambassador to Israel, Former Israeli Army\r\nGeneral and Three other High-Profile Executives\r\nBy etal@ad.checkpoint.com\r\nPublished: 2022-06-14 · Archived: 2026-04-05 18:44:50 UTC\r\nCheck Point Research (CPR) exposes an Iranian spear-phishing operation targeting high-profile Israeli and\r\nUS executives. The attackers hijacked emails of senior people in Israel and then used it to target other high-level officials to steal personal information. Targets have included former Israeli Foreign Minister, Tzipi\r\nLivni, the former US Ambassador to Israel, former Major General of the IDF, and three others. In addition,\r\nthe attackers hijacked existing email exchanges and swapped emails to new ones, pretending to be someone\r\nelse, to trick their targets into speaking to them. CPR believes the goal of the operation is to steal personal\r\ninformation, passport scans and access email accounts. CPR’s findings come at time of rising tensions\r\nbetween Israel and Iran, where former attempts by Iran to lure Israeli targets via email have occurred.\r\nCheck Point Research (CPR) has exposed an Iranian spear-phishing operation targeting high-profile Israeli and\r\nUS executives. As part of their operations, the attackers take over existing accounts of the executives and create\r\nfake impersonating accounts to lure their targets into long email conversations. CPR believes the goal of the\r\noperation is to steal personal information, passport scans, and access to email accounts. CPR sees that the\r\noperation dates to at least December 2021 but assumes earlier.\r\nHigh profile targets include:\r\nTzipi Livni – former Foreign Minister and Deputy Prime Minister of Israel\r\nFormer Major General who served in a highly sensitive position in the IDF\r\nChair of one of Israel’s leading security think tanks\r\nFormer US Ambassador to Israel\r\nFormer Chair of a well-known Middle East research center\r\nSenior executive in the Israeli defense industry\r\nAttack Methodology\r\n1. The attacker takes over a real e-mail account of a frequent contact of the target\r\n2. The attacker proceeds to hijack an existing email conversation\r\n3. The attackers then open a fake email to impersonate the contact of the target, mostly in the format of\r\n[email protected].\r\n4. The attackers continue the hijacked conversation from the fake email and exchanges at least several emails\r\nwith the target\r\n5. Some of the emails include a link to a real document that is relevant to the target. e.g, invitation to a\r\nconference or research / phishing page of Yahoo/ link to upload document scans\r\nhttps://blog.checkpoint.com/2022/06/14/iranian-spear-phishing-operation-targets-former-israeli-foreign-minister-former-us-ambassador-to-israel-former-israeli-army-general-and-three-other-high-profile-executives/\r\nPage 1 of 5\n\nExample Emails: Tzipi Livni, Former Israeli Foreign Minister\r\nLivni was approached via email by someone impersonating a well-known former Major General in the IDF who\r\nserved in a highly sensitive position. The email was sent from his genuine email address which had previous\r\ncorrespondence with her in the past. The email contained a link to a file which the attacker requested her to open\r\nand read. When she delayed doing so, the attacker approached her several times asking her to open the file using\r\nher email password. This prompted her suspicions. When she met the former Major General and asked him about\r\nthe email, it was confirmed that he never sent such an email to her.\r\nFigure 1. Email to Tzipi Livni on Day 1\r\nTranslated\r\nFigure 2. Email to Tzipi Livni on Day 6\r\nhttps://blog.checkpoint.com/2022/06/14/iranian-spear-phishing-operation-targets-former-israeli-foreign-minister-former-us-ambassador-to-israel-former-israeli-army-general-and-three-other-high-profile-executives/\r\nPage 2 of 5\n\nTranslated\r\nAttribution\r\nCPR believes that the threat actors behind the operation are an Iranian-backed entity. Evidence points to a possible\r\nconnection of the operation to the Iran-attributed Phosphorus APT group. The group has a long history of\r\nconducting high-profile cyber operations, aligned with the interest of the Iranian regime, as well as targeting\r\nIsraeli officials.\r\nHow to Recognize Phishing Emails\r\nPhishers use a wide range of techniques to make their phishing emails look legitimate. These are some of the most\r\nused techniques, which can be used to identify these malicious emails.\r\nPsychological Tricks\r\nPhishing emails are designed to convince the recipient to do something that is not in their best interests (giving\r\naway sensitive information, installing malware, etc.). To accomplish this, phishers commonly use psychological\r\ntricks in their campaigns, such as:\r\nSense of Urgency: Phishing emails commonly tell their recipients that something needs to be done right\r\naway. This is because someone in a hurry is less likely to think about whether the email looks suspicious or\r\nis legitimate.\r\nUse of Authority: Business email compromise (BEC) scams and other spear-phishing emails commonly\r\npretend to be from the CEO or someone else in authority. These scams take advantage of the fact that the\r\nrecipient is inclined to follow orders from their bosses.\r\nFear and Blackmail: Some phishing emails threaten consequences (such as revealing allegedly stolen\r\nsensitive data) if the recipient doesn’t do what the attacker says. The fear of embarrassment or punishment\r\nhttps://blog.checkpoint.com/2022/06/14/iranian-spear-phishing-operation-targets-former-israeli-foreign-minister-former-us-ambassador-to-israel-former-israeli-army-general-and-three-other-high-profile-executives/\r\nPage 3 of 5\n\nconvinces the recipient to comply.\r\nIf an email seems coercive in any way, it might be a phishing attack.\r\nSuspicious Requests\r\nPhishing emails are designed to steal money, credentials, or other sensitive information. If an email makes a\r\nrequest or a demand that seems unusual or suspicious, then this might be evidence that it is part of a phishing\r\nattack.\r\nFake Domains\r\nOne of the most common techniques used in phishing emails are lookalike or fake domains. Lookalike domains\r\nare designed to appear to be a legitimate or trusted domain at a casual glance. For example, instead of the email\r\naddress [email protected], a phishing email may use [email protected]. While these emails may look like the real\r\nthing, they belong to a completely different domain that may be under the attacker’s control.\r\nWhat to Do if You Suspect a Phishing Attack\r\nThe impact and cost of a phishing attack on an organization depends on the speed and correctness of its response.\r\nIf you suspect that an email may be a phishing email, take the following steps:\r\n1. Don’t Reply, Click Links, or Open Attachments: Never do what a phisher wants. If there is a suspicious\r\nlink, attachment, or request for a reply don’t click, open, or send it.\r\n2. Report the Email to IT or Security Team: Phishing attacks are commonly part of distributed campaigns,\r\nand just because you caught the scam doesn’t mean that everyone did. Report the email to IT or the\r\nsecurity team so that they can start an investigation and perform damage control as quickly as possible.\r\n3. Delete the Suspicious Email: After reporting, delete the suspicious email from your Inbox. This lessens the\r\nchance that you’ll accidentally click on it without realizing it later.\r\n4. While awareness of common phishing tactics and knowledge of anti-phishing best practices is important,\r\nmodern phishing attacks are sophisticated enough that some will always slip through. Phishing awareness\r\ntraining should be supplemented with anti-phishing solutions that can help to detect and block attempted\r\nphishing campaigns. Check Point Harmony Email \u0026 Office provides visibility and protection across email\r\nphishing techniques. To learn more about protecting your organization against phishing emails,\r\nplease request a free demo.\r\nConclusion\r\nThe Iranian-affiliated Phosphorous APT group continues its spear-phishing activity against targets of the Iranian\r\nregime. This research has exposed Iranian phishing infrastructure that targets Israeli and US public sector\r\nexecutives, with the goal to steal their personal information, passport scans, and steal access to their mail\r\naccounts. CPR researchers have solid evidence this operation dates back to December 2021 but could have started\r\neven earlier. The most sophisticated part of the operation is the social engineering. The attackers use real hijacked\r\nemail chains, impersonations to well-known contacts of the targets and specific lures for each target. The\r\noperation implements a very targeted phishing chain that is specifically crafted for each target. In addition, the\r\nhttps://blog.checkpoint.com/2022/06/14/iranian-spear-phishing-operation-targets-former-israeli-foreign-minister-former-us-ambassador-to-israel-former-israeli-army-general-and-three-other-high-profile-executives/\r\nPage 4 of 5\n\naggressive email engagement of the nation state attacker with the targets is rarely seen in the nation state cyber-attacks. CPR will continue to monitor the operation.\r\nFor more detailed technical information and examples of the operation you can read the technical blog\r\nSource: https://blog.checkpoint.com/2022/06/14/iranian-spear-phishing-operation-targets-former-israeli-foreign-minister-former-us-ambassado\r\nr-to-israel-former-israeli-army-general-and-three-other-high-profile-executives/\r\nhttps://blog.checkpoint.com/2022/06/14/iranian-spear-phishing-operation-targets-former-israeli-foreign-minister-former-us-ambassador-to-israel-former-israeli-army-general-and-three-other-high-profile-executives/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.checkpoint.com/2022/06/14/iranian-spear-phishing-operation-targets-former-israeli-foreign-minister-former-us-ambassador-to-israel-former-israeli-army-general-and-three-other-high-profile-executives/" ], "report_names": [ "iranian-spear-phishing-operation-targets-former-israeli-foreign-minister-former-us-ambassador-to-israel-former-israeli-army-general-and-three-other-high-profile-executives" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434153, "ts_updated_at": 1775826696, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a7ac1e161a9d8d56b361437560026356b7054a19.pdf", "text": "https://archive.orkl.eu/a7ac1e161a9d8d56b361437560026356b7054a19.txt", "img": "https://archive.orkl.eu/a7ac1e161a9d8d56b361437560026356b7054a19.jpg" } }