TA453 Maintains Credential Phishing Operations Against US Think Tanks Amid Middle East Conflict
- Actor Motivations: Espionage
- Attack Vectors: Spear Phishing
- Attack Complexity: Low
- Threat Risk: Unknown
Threat Overview
Despite an internet shutdown following US and Israeli military strikes in late February 2026, the Iran-aligned threat actor TA453 (Charming Kitten) maintained its targeted espionage operations. Continuing an effort initiated prior to the conflict, TA453 targeted an individual at a US-based think tank. The attackers spoofed a researcher from the Henry Jackson Society, sending spearphishing emails themed around a Middle East air defense roundtable. To build rapport, the threat actor initially shared a benign document via OneDrive. Once trust was established, TA453 delivered a malicious link that redirected the target to a custom OneDrive-themed credential phishing page hosted on Netlify to harvest their credentials.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Researchers | Verified |
| Region | United States | Verified |
Extracted IOCs
- 16db04b632668dae081359fc07c97e5a9b79dad61713642e48b494aa6b7828be
Tip: 1 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 1 file hash) to this threat have been found.
FAQs
TA453 Cyber Espionage Campaign Against US Thinktanks
Amidst an ongoing military conflict in the Middle East, an Iranian cyber espionage group targeted a US thinktank with a sophisticated email phishing campaign. The attackers pretended to be a legitimate researcher inviting the target to a roundtable discussion in order to steal their login credentials.
The attack was carried out by an Iran-aligned threat group known in the cybersecurity community as TA453 (also referred to as Charming Kitten, Mint Sandstorm, or APT42). This group is well-known for conducting espionage and intelligence-gathering operations on behalf of Iranian interests.
The primary goal was intelligence collection. By tricking the target into entering their passwords on a fake login page, the attackers aimed to gain unauthorized access to the victim's accounts and the sensitive information held within the thinktank.
The campaign specifically targeted an individual working at a US-based thinktank. The attackers initially reached out to the target's personal email address before eventually moving the conversation to their corporate email account.
The attackers used a "long con" approach. They first sent friendly, harmless emails pretending to be a real head of research, even sharing a legitimate, safe document about Middle Eastern air defense to build trust. Once the target felt comfortable, the attackers sent a second link that secretly redirected the victim to a fake Microsoft OneDrive login page designed to steal their password.
Thinktanks often conduct strategic research, influence public policy, and communicate with government officials. During times of geopolitical conflict, the insights, communications, and internal research held by these organizations are highly valuable to foreign intelligence agencies.
This is a highly targeted incident. Rather than sending thousands of generic spam emails, the attackers spent time researching their specific target, spoofing a relevant colleague, and crafting a custom scenario to trick that specific individual.
Organizations should mandate multi-factor authentication to ensure that a stolen password alone isn't enough to compromise an account. Individuals should remain highly skeptical of unsolicited invitations, even if they appear to come from known figures in their industry, and should independently verify the sender's identity before clicking links or opening documents.