Iran-Nexus Spear-Phishing Masquerades as Omani MFA to Target Global Governments

In August 2025, Dream’s Cyber Threat Intelligence (CTI) agents uncovered a sophisticated spear-phishing campaign exploiting a compromised Ministry of Foreign Affairs of Oman (MFA) mailbox in Paris to deliver malicious Word documents to government recipients worldwide. The campaign, attributed to Iranian-aligned operators linked to the “Homeland Justice” group under MOIS, underscores a renewed regional espionage drive amid geopolitical tensions, and highlights the urgent need for enhanced cybersecurity and best practices training.

• 5 August 2025: Dream’s CTI agents, leveraging their proprietary Cyber Language Model (CLM), detected anomalous spear-phishing activity using a compromised Oman MFA mailbox, as noted via a tweet on that date.
• The campaign is attributed to Iranian-aligned operators from the Homeland Justice group, tied to the Iranian MOIS.

Campaign Scope & Scale

• The operation involved 270 phishing emails, sent from 104 unique compromised addresses, indicating coordinated, multi-wave targeting.
• Recipients included embassies, consulates, and international organizations across Middle East, Africa, Europe, Asia, and the Americas, with Europe and Africa most heavily impacted.

Tactics & Technical Details

• Phishers used a Word document disguised as a “registration form” with an embedded VBA macro. Upon enabling content, numeric sequences in the document were decoded into ASCII to reconstruct a malware payload and execute it.
• The lure themes invoked urgent MFA communications and diplomatic authority, classic social engineering to prompt macro activation.

External Confirmation

• The Hacker News (3 September 2025) confirmed the campaign’s global reach, scale, and attribution to Homeland Justice, highlighting exploitation of diplomatic trust under geopolitical pretext.
• Rewterz (26 August 2025) emphasized campaign mimicry of Iranian tradecraft from 2023, moderate-confidence attribution, and shared IOCs including domain screenai.online and file hashes.

Regional & Global Context

MEA Perspective

For the Middle East and Africa, the campaign’s use of a legitimate Omani MFA channel underscores vulnerabilities in regional diplomatic communication channels. It also signals potential implications for regional cyber regulations, such as compliance under UAE’s Information Assurance Standards or Oman’s cybersecurity mandates—though specific regulatory breaches remain unconfirmed.

Geo-Political Significance

Timing coincided with sensitive ceasefire negotiations involving Egypt, Qatar, and the U.S., suggesting espionage motives tailored to regional diplomatic developments.
The campaign’s global footprint – affecting Europe, Asia, and the Americas – suggests Iran’s espionage ambitions extend well beyond regional boundaries.

Industry Voice

“Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication… a broader regional espionage effort,” said Dream’s CTI report on 5 August 2025.Dream SecurityThe Hacker News

Analysts at Rewterz noted parallels to 2023 Iranian campaigns using “obfuscation methods… pointing to a continuity in tradecraft”, highlighting persistent modus operandi.Rewterz – Revolutionizing Cybersecurity

Actionable Takeaways

1. Block IOCs: Immediately block domain screenai.online, associated IPs, and file hashes tied to the campaign.
2. Harden Macro Policies: Configure Office to disable macros by default; allow only known, signed macros. Conduct security awareness training about macro-enabled documents.
3. Email Monitoring & Filtering: Deploy advanced filters that flag messages from compromised domains or subjecting MFA-as-lure themes, with SPF/DKIM/DMARC enforcement.
4. Network Segmentation & Egress Controls: Restrict outbound traffic, especially to unrecognized domains; monitor for connections to C2 infrastructure.
5. Incident Playbooks for Diplomatic Targets: Establish response workflows for MFA-targeted phishing, including immediate mailbox forensics, credential resets, and stakeholder notification.
6. Threat Intelligence Integration: Incorporate regional and global threat feeds: e.g., Dream, Rewterz, Hacker News—to stay abreast of evolving TTPs.
7. Phishing Simulations: Regularly test staff with macro-enabled decoys to ensure capability to discern and report such sophisticated lures.
8. Registry & Persistence Audits: Periodically scan critical workstations for unauthorized registry changes, unusual .exe/.log files, and persistence mechanisms.

Conclusion

This spear-phishing campaign delivers a sharp reminder: even trusted diplomatic channels can be weaponized in national-level cyber espionage. By masquerading as Oman’s MFA and exploiting macro-enabled documents, Iranian-aligned actors deployed stealthy reconnaissance across the globe. For CISOs, SOC teams, and policymakers, the immediate task is to reinforce both technical defenses and security awareness, especially among diplomatic and intergovernmental clients. Looking ahead, persistence in these operations suggests the threat will evolve; continuous vigilance, proactive threat intelligence, and robust macro governance remain critical to staying ahead of this campaign’s next wave.

Sources

• Dream Security CTI Analysis Report — Dream, 5 August 2025
• The Hacker News, “Iranian Hackers Exploit 100+ Embassy Email Accounts…”, 3 September 2025
• Rewterz, “Unknown Threat Actors Targets Oman MOFA…”, 26 August 2025