Iran-aligned phishing campaigns expose identity gaps in the inbox

At a glance

What this is: This analysis examines how Iran-aligned groups are using email, MFA theft, and compromised identities to drive espionage and disruption.

Why it matters: It matters because IAM, PAM, and identity lifecycle controls are now part of email defense, not separate from it, across human accounts, privileged access, and downstream NHI exposure.

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
• AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
• 28% of secrets incidents now originate outside code repositories in Slack, Jira, and Confluence, and they are 13% more likely to be categorised as critical than code-based leaks.

👉 Read Abnormal AI's analysis of Iran-aligned phishing, MFA theft, and inbox compromise

Context

Iran-aligned operators are treating the inbox as an identity control plane, not just a message channel. The article describes phishing, internal mailbox compromise, MFA token theft, and credential reuse as linked stages in campaigns that can start with a lure and end with destructive access or data theft.

For IAM teams, the core issue is that standard email filtering does not stop an attacker who already holds valid credentials or has captured MFA tokens in real time. That shifts the defensive problem toward phishing-resistant authentication, privileged role oversight, OAuth consent review, and rapid offboarding of compromised identities.

Key questions

Q: How should security teams handle phishing-resistant MFA for privileged accounts?

A: Security teams should prioritise phishing-resistant MFA for administrators, security operators, and executives before broad rollout elsewhere. FIDO2 security keys and passkeys reduce replay risk because the credential is bound to the originating site, unlike TOTP or SMS codes that can be captured and reused in real time.

Q: Why do compromised mailboxes make internal phishing more effective?

A: A compromised mailbox converts an external threat into a trusted internal sender. That bypasses sender reputation controls, exploits colleague trust, and often produces higher click and response rates than outside phishing. For defenders, it means mailbox compromise must be handled as an identity control incident, not only as an email problem.

Q: What do organisations get wrong about MFA when attackers harvest tokens live?

A: They assume MFA always prevents account takeover. Real-time phishing kits can capture and replay codes before they expire, so replayable MFA only proves that a code was entered, not that the session is trustworthy. Organisations need phishing-resistant methods for accounts that can affect email, cloud, or admin systems.

Q: Who is accountable when stolen credentials are reused for follow-on attacks?

A: Accountability sits with both the identity owner and the organisation's access governance process. If compromised accounts are not quickly contained, reviewed, and offboarded from risky entitlements, stolen credentials can be reused by the original actor or sold onward, creating secondary abuse that is preventable with lifecycle control.

Technical breakdown

Email-based initial access and lateral phishing

Iran-aligned groups often start with spearphishing, malicious attachments, or links that lead to credential capture. Once they compromise one mailbox, they can send internal phishing from a trusted account, which bypasses external sender controls and dramatically increases engagement. This is a trust-chain problem: the attacker is no longer asking the recipient to trust an unknown sender, but to trust a known colleague. That makes mailbox compromise an access multiplier, not just a single-account event.

Practical implication: monitor for abnormal mailbox-to-mailbox sending patterns and treat compromised email accounts as identity incidents, not only messaging incidents.

Real-time MFA token theft and phishing-resistant authentication

APT42's kits capture passwords and MFA tokens over WebSocket connections in real time, allowing the operator to use the token before it expires. That means TOTP and SMS-based MFA can be defeated even when the login page looks convincing and the user believes they are completing a normal step-up. Phishing-resistant methods such as FIDO2 security keys and passkeys reduce this risk because the credential is bound to the origin and cannot be replayed the same way. The issue is not MFA in general, but replayable MFA.

Practical implication: prioritise phishing-resistant MFA for privileged users and high-value cloud accounts before relying on awareness training alone.

Identity persistence through OAuth and admin changes

The article shows attackers modifying MFA registrations, abusing OAuth consent grants, and using legitimate management systems to maintain access after the first compromise. That is a classic persistence pattern: the attacker does not need malware if they can convert stolen identity into durable authorization. Once that happens, access can outlive the original phishing event and move from mailbox control into cloud services, admin consoles, and device-management functions. The governance failure is lifecycle visibility, not just detection speed.

Practical implication: review OAuth app consents, MFA device changes, and privileged role activations as part of every compromise investigation.

Threat narrative

Attacker objective: The attacker wants durable access that can be reused for espionage, follow-on compromise, or destructive operations while appearing to act as a legitimate user.

1. Entry begins with spearphishing, malicious attachments, or a trusted internal mailbox used to deliver the lure, giving the attacker a way past external sender filtering.
2. Escalation follows when the operator steals credentials or MFA tokens in real time, then reuses them to access email, cloud collaboration, or identity systems with legitimate permissions.
3. Impact occurs when those accounts are used for follow-on phishing, destructive actions, data theft, or environment-wide disruption through admin and management planes.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Email is now an identity enforcement point, not a side channel. When attackers use compromised inboxes to phish internally, email security and identity governance converge into the same control problem. The organisation is no longer defending only against malicious messages, but against legitimate identities being turned into attack infrastructure. Practitioners should treat mailbox compromise as a lifecycle and trust issue, not just a spam issue.

Real-time MFA phishing exposes replayable authentication as a broken assumption. TOTP and SMS-based MFA were designed for human-paced login flows where the user enters a code and the system validates it later. That assumption fails when the actor captures the token in real time and uses it before expiry. The implication is that replayable MFA cannot be the last line of defence for high-value identities.

Identity persistence through OAuth and MFA changes shows how access outlives the initial event. The breach pattern is not only about getting in, but about converting a momentary compromise into durable authorization by altering registrations and consents. That is a governance failure in the identity lifecycle, because access changes become the mechanism of persistence. Practitioners need to see this as offboarding and re-certification pressure, not a one-time alert problem.

Credential trust debt: one compromised identity can seed multiple downstream compromises when organisations allow mailbox trust, consent trust, and MFA trust to accumulate without continuous review. This is the field-level lesson in the article's Iranian campaign set. The attacker does not need to break every control if the organisation has already allowed trust to compound across email, cloud, and admin systems. The practitioner conclusion is that trust relationships need expiry discipline, not indefinite inheritance.

Cross-actor escalation matters because human compromise now feeds machine and admin compromise. The article shows a human account being used to initiate broader access, including cloud services and management functions. That means IAM, PAM, and NHI governance are no longer separate lanes. The same compromise path can move from a person to a service plane, so identity programmes need shared telemetry and shared response rules.

From our research:

• AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers, according to The State of Secrets Sprawl 2026.
• The same research found 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, showing how quickly identity and access exposure can spread into AI-adjacent tooling.
• For a broader breach lens, see The 52 NHI breaches Report, which shows how credential compromise turns into repeated access abuse across environments.

What this signals

Credential trust debt: organisations should expect identity compromise to move faster than manual review cycles, because once one account is trusted internally, the attacker inherits that trust path across mail, cloud, and admin systems. The practical signal is simple: if your response process treats mailbox compromise separately from identity compromise, the programme is already behind.

The next maturity step is to converge email security, IAM, and PAM telemetry so MFA changes, OAuth consents, and privileged role activation are analysed together. That is where the real containment window lives, and it is where conflict-driven phishing campaigns will continue to test control gaps.

Teams that still rely on replayable MFA for privileged access should expect their assurance model to weaken under targeted phishing. The control question is no longer whether MFA is enabled, but whether the authentication method can be replayed before the session is reviewed or revoked.

For practitioners

• Move privileged users to phishing-resistant MFA first Replace TOTP and SMS for administrators, security staff, and executives with FIDO2 security keys or passkeys, then verify that recovery flows do not reintroduce replayable authentication.
• Treat mailbox compromise as an identity incident Correlate suspicious outbound mail, unusual internal reply chains, and new sign-in events so a compromised inbox triggers identity containment, not only mail quarantine.
• Review OAuth consents and MFA registrations after every alert Check for newly granted application consents, new authenticators, modified device registrations, and role changes in the identity provider whenever a credential event is suspected.
• Add multi-admin approval to destructive or high-impact actions Require a second administrator to approve device wipes, policy changes, and bulk remediation actions so a single stolen identity cannot create irreversible impact.
• Harden verified support paths against social engineering Use callback-only verification for helpdesk requests and block any request that asks staff to bypass controls under urgency, especially during conflict-themed phishing waves.

Key takeaways

• Iran-aligned campaigns are using email as an identity attack surface, turning inbox compromise into cloud and admin risk.
• Real-time MFA token theft and internal mailbox abuse show that replayable authentication and sender trust are no longer sufficient controls.
• Security teams need phishing-resistant MFA, OAuth consent review, and lifecycle containment for compromised identities to limit follow-on abuse.

Key terms

• Phishing-resistant MFA: An authentication method that cannot be easily replayed after a user is tricked into entering credentials on a fake site. In practice, it binds the login to the real origin, which makes token theft much harder than with SMS or time-based one-time passwords.
• Mailbox compromise: Unauthorised access to an email account that allows the attacker to read, send, or manipulate messages as the legitimate user. It is especially dangerous because the attacker can exploit trust relationships inside the organisation and use the account as a launch point for further compromise.
• OAuth consent abuse: A persistence technique in which an attacker persuades or exploits a user or admin to grant a malicious application access to data or services. Once consent is granted, the attacker can keep using that authorization until it is reviewed and revoked, even if the original login is changed.
• Identity lifecycle control: The processes that govern when accounts, credentials, roles, and application consents are created, changed, reviewed, and removed. For security teams, it is the mechanism that prevents stolen or stale access from surviving long after the original business need has ended.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by Abnormal AI: Iran-aligned phishing campaigns, MFA token theft, and inbox compromise patterns. Read the original.