Are Iranian APTs Already inside Your Hybrid Network?

July 10, 2025

Are Iranian APTs Already inside Your Hybrid Network?

The recent Iran–Israel escalation has sparked a spike in cyber operations from state-linked actors zeroing in on identity, cloud, and enterprise networks. These well-resourced groups combine deep network intrusions with identity abuse to slip past traditional defenses.

They exploit public-facing apps for initial access, harvest credentials via phishing or password spraying, then move laterally with RDP, PsExec, or remote-access services. Persistence comes through scheduled tasks, DLL sideloading, hidden windows, and protocol tunneling. Data is quietly staged, archived, and exfiltrated over obscure channels often without triggering legacy alerts.

Simultaneously, they launch identity-focused campaigns inside Microsoft 365, Azure, and Google Workspace: abusing OAuth, bypassing MFA, and weaponizing Outlook, OneDrive, and Teams to maintain access and siphon data. These tactics target critical infrastructure, government, commercial enterprises, and NGOs across the Middle East and the West—blending espionage and destructive attacks (wipers, forced encryption).

Relying only on endpoints or perimeter controls leaves you blind to the full attack chain. If you use cloud collaboration, hybrid infrastructure, or remote access, you’re already in their sights.

Who’s Behind the Attacks: Iran-Linked APT Profiles

Despite varying goals (ranging from long-term espionage to outright sabotage) each group leverages both network and identity channels to breach, persist, and extract. Below is a high-level view of their initial access, network TTPs, and identity/cloud TTPs.

Group	Initial Access	Network Tactics	Identity/Cloud Tactics
APT33 (alias Peach Sandstorm, HOLMIUM, COBALT TRINITY, Elfin, Refined Kitten)	Spear-phishing emails with job postings, social engineering campaigns, and exploiting known vulnerabilities.	Executing malicious code via PowerShell and scheduled tasks. Moving laterally using RDP, WMI, and stolen credentials. Dumping credentials for escalation and persistence. Archiving and exfiltrating sensitive data over encrypted or obscure channels. Maintaining stealth using obfuscation, registry keys, and encoded traffic.	Spear-phishing using job postings and social engineering to obtain credentials. Password-spraying to access Office 365 and Azure accounts. Once credentials are obtained, accessing accounts through commercial VPNs. Using Azure-specific tools to enumerate Entra ID (Azure AD) and harvest user and group data. Deploying malicious ZIPs via Microsoft Teams messages to extract Active Directory information.
APT34 (alias Helix Kitten, OilRig, CHRYSENE, COBALT GYPSY)	Spear-phishing emails and fake job postings targeting individuals in specific roles.	Using remote desktop protocols and VPN tunneling for movement. Dumping credentials and escalating privileges via known exploits. Exfiltrating data through DNS tunneling, FTP, and compromised email. Evading detection with masquerading, signed binaries, and firewall manipulation.	Spear-phishing emails and fake job postings to gain access to Exchange and other cloud accounts. Leveraging cloud email features like Exchange to stealthily exfiltrate data. Exploiting data transfer size limits to avoid detection. Harvesting credentials and reusing them for lateral movement across SaaS environments.
APT35 (alias Charming Kitten, Magic Hound, Mint Sandstorm, COBALT ILLUSION, TA453, PHOSPHORUS)	Spear-phishing emails, fake login portals mimicking cloud services, and compromised accounts.	Performing lateral movement via RDP and scheduled tasks. Dumping credentials from browsers and memory for deeper access. Transferring data using encrypted channels and cloud sharing platforms. Evading security by disabling logging and blending C2 traffic with web activity.	Targeting credentials through fake login portals mimicking cloud/SaaS services. Bypassing MFA protections using social engineering and convincing fake sign-in pages. Taking advantage of vulnerabilities in cloud-hosted Exchange or other SaaS apps for privileged access. Using cloud accounts to harvest files and emails of interest silently.
APT42 (alias Crooked Charms)	Prolonged social engineering and impersonation of trusted contacts to gain credentials.	Using encrypted HTTPS channels for stealthy data transfer. Tunneling access through spoofed VPN and masqueraded remote sessions. Executing scripts for discovery, keylogging, and data collection. Blending in with legitimate traffic to avoid raising alerts.	Extensive social engineering to gain persistent access to Microsoft 365 and similar platforms. Exploiting legitimate client apps to appear as normal user activity. Downloading OneDrive files and Outlook emails using the compromised account without raising suspicion. Deploying simple scripts to extract sensitive data.
MuddyWater (alias STATIC KITTEN, Earth Vetala, MERCURY, Seedworm, Mango Sandstorm, TEMP.Zagros)	Spear-phishing with malicious attachments or links sent via compromised accounts.	Executing scripts and malware via PowerShell, VBScript, and scheduled tasks. Moving laterally using remote access tools and WMI. Dumping credentials from memory, browsers, and cached sources. Establishing persistence using registry keys and DLL sideloading. Exfiltrating compressed data via HTTP-based C2 channels.	Spear-phishing with malicious attachments and links to steal credentials for cloud apps. Using compromised accounts to send further phishing emails internally, creating a cascading effect. Targeting credential reset processes and MFA systems to take control of cloud accounts.
Rampant Kitten	Malicious Android apps and phishing to steal credentials and gain device control.	Delivering payloads through remote-template Word docs hosted on spoofed SharePoint domains. Maintaining C2 via SOAP over HTTPS with fallback OneDrive-style endpoints. Exfiltrating Telegram tokens, KeePass vaults, and sensitive files using base64-encoded uploads. Persisting by replacing Telegram's updater and injecting payloads into explorer.exe. Expanding collection through Android backdoors and Telegram-phishing sites.	Phishing for Google credentials by mimicking legitimate login pages on Android devices. Using captured credentials to log into Gmail and other Google cloud services. Extracting data via browser sessions and built-in cloud app features while avoiding obvious malware indicators.
Agrius (alias DarkRypt, Pink Sandstorm, AMERICIUM, Agrius, Black Shadow, Spectral Kitten)	Deployment of webshells after phishing or exploiting vulnerable servers.	Gaining access by exploiting public-facing apps and misconfigurations. Performing internal recon and lateral movement via remote desktop tunneling. Dumping credentials for privilege escalation and persistence. Staging and exfiltrating data using common transfer methods. Impairing security tools and disguising activity to evade detection.	Deploying scripts to extract credentials from internal accounts after phishing or social engineering access. Pivoting laterally using valid credentials and authorized sessions in cloud apps.

Five Identity and Cloud Techniques SOC Teams Must Monitor

Iran-affiliated threat actors are moving beyond traditional malware and exploits. Their campaigns now hinge on abusing identity systems and living within the trusted tools your organization already uses. These five techniques are central to how they evade detection and maintain persistence in cloud environments. Each represents a critical visibility gap if your team is relying on traditional EDR or SIEM tools alone.

Credential Theft via Spear Phishing
Fake login portals mimicking Office 365 or Gmail, password spraying, and MFA-bypass techniques.
Cloud Account Hijacks
Using stolen credentials to access email, OneDrive, SharePoint, or Azure apps.
Recon and Lateral Movement
Enumerating Entra ID (Azure AD), creating rogue OAuth apps or subscriptions for persistence.
Data Exfiltration via Legitimate Tools
Moving data through OneDrive, Outlook, or web-based APIs to hide within normal traffic.
Living-Off-the-Land in SaaS and Cloud
Using built-in SaaS clients like Outlook or remote access tools like AnyDesk/TeamViewer to control cloud accounts.

TA0001Initial Access	TA0002Execution	TA0003Persistence	TA0004Privilege Escalation	TA0005Defense Evasion	TA0006Credential Access	TA0007Discovery	TA0008Lateral Movement	TA0009Collection	TA0011Command & Control	TA0010Exfiltration	TA0040Impact
T1566.001Spearphishing Attachment	T1047Windows Management Instrumentation	T1098.005Device Registration	T1068Exploitation for Privilege Escalation	T1564.004Hidden Window	T1110.001Password Spraying	T1012Query Registry	T1021.001RDP	T1560Archive Collected Data	T1071.001Web Protocols	T1048Alt Protocol Exfiltration	T1485Data Destruction
T1566.002Spearphishing Link	T1053.005Scheduled Task/Job	T1547Boot or Logon Autostart	T1055Process Injection	T1036.005Masquerading	T1555Credentials from Password Stores	T1082System Information Discovery	T1021.002SMB Admin Shares		T1102.001Dead Drop Resolver		T1486Data Encrypted for Impact
T1133External Remote Services	T1059.001PowerShell			T1562.001Disable or Modify Tools	T1555.003Credentials from Web Browsers	T1069.002Domain Group Discovery
T1190Exploit Public-Facing Application				T1572Protocol Tunnelling	T1003OS Credential Dumping	T1069.003Cloud Group Discovery
					T1556.006MFA Request Generation	T1482Domain Trust Discovery
					T1558.003Kerberoasting

MITRE Techniques used by Iranian APTs

Why Iranian APTs Are Targeting Cloud and Identity

For Iranian threat groups, cloud and identity systems offer scale, stealth, and strategic value. These attackers are not just opportunistic, they are adapting to how organizations now operate. Remote access, federated identity, and cloud-first infrastructure have created a wide attack surface with limited visibility for many security teams.

Identity is the new perimeter. Once attackers obtain valid credentials, especially those tied to SaaS platforms or cloud admin roles, they often bypass detection entirely. Security tools focused on endpoints or firewalls rarely flag authenticated API calls or abnormal login behavior if the session appears legitimate.
Cloud environments provide cover. Iranian APTs often operate within sanctioned apps like Microsoft 365, Azure, and Google Workspace. They take advantage of weak OAuth policies, misconfigured conditional access, and excessive admin privileges. This lets them persist in environments where traditional controls were not designed to inspect behavioral anomalies across users, roles, and apps.
Hybrid networks offer pivot points. In many cases, attackers compromise on-prem systems and use that foothold to access connected cloud resources. Microsoft has documented attacks where Iranian actors abused Entra Connect and Azure Arc to bridge between compromised on-prem environments and cloud assets, including spinning up new infrastructure within compromised tenants.
Cloud-native tooling is dual-use. PowerShell, Microsoft Graph API, Teams messaging, and mailbox delegation are meant to make collaboration easier. Iranian actors are using those same capabilities to enumerate environments, share malware, and move data. Because they rarely introduce new binaries or external infrastructure, they avoid triggering classic indicators of compromise.

In short, cloud and identity attacks allow Iranian APTs to move quietly and effectively. They blend in with user behavior, avoid traditional defenses, and exploit gaps that most organizations don’t see until it’s too late.

Security Controls to Disrupt Iranian APT Tradecraft

To reduce your exposure to the techniques detailed above and make your environment a harder target, we recommend the following immediate actions:

Enforce Multi-Factor Authentication to stop phishing and MFA bypass.
Enable Conditional Access and device policies on cloud/SaaS accounts.
Monitor login activity for suspicious IPs, unusual geographies, and VPN-originated logins.
Lock down OAuth apps and permissions: review all app consents and service accounts in Microsoft 365/Azure.
Audit privileged accounts regularly especially those with admin roles within Exchange/Azure.
Implement User Training: recognize fake login portals and social engineering tactics.
Monitor for data exfiltration: set up DLP rules and Cloud Access Security Broker (CASB) policies.
Check MFA push behaviour: restrict notifications after repeated failed attempts or use phishing-resistant MFA options like FIDO2.

These controls harden your environment—but detecting credential misuse and network stealth requires active, behavior-driven visibility.

How the Vectra AI Platform Detects What Others Miss

Most security tools fail to detect Iranian APT activity because they aren’t designed to monitor how attackers operate in cloud and identity environments. The Vectra AI Platform was purpose-built to close this gap.

Rather than relying on static indicators or logs that can be manipulated, Vectra AI uses AI-driven behavioral detection to identify abnormal activity across Network, Active Directory, Microsoft 365, Entra ID, Copilot for M365, AWS, and Azure Cloud. It continuously monitors how users interact with applications, credentials, tokens, and data, surfacing signals that indicate compromise without requiring threat actors to trip obvious alarms.

But detection alone is not enough. The Vectra AI Platform also provides clarity on which alerts truly matter, eliminating noise and allowing SOC teams to focus on the signals that indicate real threats. With built-in response actions, analysts can take immediate steps to contain an attack—whether that’s revoking sessions or locking down accounts — before damage spreads. This combination of detection, clarity, and control gives security teams the confidence to respond decisively to sophisticated modern attacks. According to IDC, organizations using Vectra AI identify 52% more threats in at least 50% less time.

Here’s how Vectra AI detects each of the five core techniques used by Iranian APTs:

Technique	Vectra AI Coverage
Credential Theft	Detects password spraying and suspicious sign-in behaviors, including anomalous geography, user agents, and VPN-originated logins
Cloud Account Hijack	Flags unauthorized access to mailboxes, OneDrive, and other services, especially when behavior deviates from the user’s normal baseline
Recon & Lateral Movement	Identifies enumeration of Entra ID objects, rogue OAuth consent flows, and suspicious Azure subscription activity
Data Exfiltration via Legitimate Tools	Detects abnormal data movement through sanctioned SaaS apps, such as large downloads or bulk file transfers over API
Living-Off-the-Land	Surfaces abuse of native tools like Outlook, PowerShell, and remote access software that blend into routine workflows

The Vectra AI Platform does not require agents. It integrates natively with Microsoft and applies real-time detection logic tailored to identity-driven attacks. This approach delivers precise, high-fidelity alerts and automated response capabilities that empower SOC teams to act decisively without drowning in false positives.

Already a Vectra AI NDR customer?

To defend against this new wave of identity and cloud-centric attacks, we strongly recommend expanding your existing deployment with Identity and Cloud coverage. This ensures unified visibility and protection across hybrid environments where these threat actors thrive.

Now is the time to see what others can’t.

Watch the self-guided demo of the Vectra AI Platform to see how we help SOC teams detect threats others can’t.
Read our VP of Product Mark Wojtasiak’s take on why Vectra AI stands tall in The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR)
Learn more about why Vectra AI is a leader and outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR)