Iran-aligned phishing, MFA theft and the governance gap teams miss

TL;DR: Iran-aligned threat groups are using email, real-time phishing kits, and compromised mailboxes to steal credentials, bypass standard MFA, and spread destructive access across cloud environments, according to Abnormal AI and multiple threat intelligence sources. The underlying problem is not just phishing volume but identity trust that still assumes human-paced review and revocation.

NHIMG editorial — based on content published by Abnormal AI: Iran-aligned phishing campaigns, MFA token theft, and inbox compromise patterns

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
• AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
• 28% of secrets incidents now originate outside code repositories in Slack, Jira, and Confluence, and they are 13% more likely to be categorised as critical than code-based leaks.

Questions worth separating out

Q: How should security teams handle phishing-resistant MFA for privileged accounts?

A: Security teams should prioritise phishing-resistant MFA for administrators, security operators, and executives before broad rollout elsewhere.

Q: Why do compromised mailboxes make internal phishing more effective?

A: A compromised mailbox converts an external threat into a trusted internal sender.

Q: What do organisations get wrong about MFA when attackers harvest tokens live?

A: They assume MFA always prevents account takeover.

Practitioner guidance

• Move privileged users to phishing-resistant MFA first Replace TOTP and SMS for administrators, security staff, and executives with FIDO2 security keys or passkeys, then verify that recovery flows do not reintroduce replayable authentication.
• Treat mailbox compromise as an identity incident Correlate suspicious outbound mail, unusual internal reply chains, and new sign-in events so a compromised inbox triggers identity containment, not only mail quarantine.
• Review OAuth consents and MFA registrations after every alert Check for newly granted application consents, new authenticators, modified device registrations, and role changes in the identity provider whenever a credential event is suspected.

What's in the full article

Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:

• Direct descriptions of the phishing kit patterns used by Iran-aligned groups and how those lures are delivered
• The specific defensive priorities Abnormal AI recommends for email, identity, and privileged access controls
• Examples of conflict-themed lure content and the telemetry signals the vendor says it is monitoring
• The integration guidance for Abnormal's security posture visibility into Microsoft Intune

👉 Read Abnormal AI's analysis of Iran-aligned phishing, MFA theft, and inbox compromise →

Iran-aligned phishing, MFA theft and the governance gap teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →