Iranian Spear Phishing Operation Exposed


Check Point Research (CPR) says it has exposed an Iranian spear-phishing operation targeting high-profile Israeli and US executives. As part of their operations, the attackers take over existing accounts of the executives and create fake impersonating accounts to lure their targets into long email conversations.

CPR believes the goal of the operation is to steal personal information, passport scans, and access to email accounts. CPR sees that the operation dates to at least December 2021, but assumes earlier.

High profile targets include:

  • Tzipi Livni – former Foreign Minister and Deputy Prime Minister of Israel
  • Former Major General who served in a highly sensitive position in the IDF
  • Chair of one of Israel’s leading security think tanks
  • Former US Ambassador to Israel
  • Former Chair of a well known Middle East research centre
  • Senior executive in the Israeli defence industry

Attack Methodology 

  1. The attacker takes over a real e-mail account of a frequent contact of the target
  2. The attacker proceeds to hijack an existing email conversation
  3. The attackers then open a fake email to impersonate the contact of the target, mostly in the format of
  4. The attackers continue the hijacked conversation from the fake email and exchanges at least several emails with the target
  5. Some of the emails include a link to a real document that is relevant to the target. e.g, invitation to a conference or research / phishing page of Yahoo/ link to upload document scans

Example Emails: Tzipi Livni, Former Israeli Foreign Minister

Livni was approached via email by someone impersonating a well known former Major General in the IDF who served in a highly sensitive position. The email was sent from his genuine email address which had previous correspondence with her in the past. The email contained a link to a file which the attacker requested her to open and read. When she delayed doing so, the attacker approached her several times asking her to open the file using her email password. This prompted her suspicions. When she met the former Major General and asked him about the email, it was confirmed that he never sent such an email to her.


CPR believes that the threat actors behind the operation are an Iranian-backed entity. Evidence points to a possible connection of the operation to the Iran-attributed Phosphorus APT group. The group has a long history of conducting high-profile cyber operations, aligned with the interest of the Iranian regime, as well as targeting Israeli officials.

“We have exposed Iranian phishing infrastructure that targets Israeli and US public sector executives, with the goal to steal their personal information, passport scans, and steal access to their mail accounts. We have solid evidence that it started at least from December 2021; but we assume that it started earlier. The most sophisticated part of the operation is the social engineering. The attackers use real hijacked email chains, impersonations to well known contacts of the targets and specific lures for each target. The operation implements a very targeted phishing chain that is specifically crafted for each target. In addition, the aggressive email engagement of the nation state attacker with the targets is rarely seen in the nation state cyber attacks. CPR will continue to monitor the operation.” said Sergey Shykevich, Threat Intelligence Group Manager at Check Point Research.