Phishing scheme targeting Mideast researchers uses ‘herd mentality’ approach to dupe victims

The tactic linked to an Iranian group creates the impression the email activity is real by employing a phenomenon known as "social proof."
Getty Images

Hackers are using a clever new phishing technique to create email threads with multiple responses to trick potential victims into thinking bogus messages are legitimate.

The cybersecurity firm Proofpoint has identified the group deploying these so-called “multi-persona impersonation” emails as TA453. The company previously linked TA453 to Iran and says their activities overlap with other groups called Charming Kitten, Phosphorous and APT42.

Proofpoint said Tuesday that it noticed a recent uptick in these types of phishing emails in late June, when the attackers posing as a researcher in one email referenced another researcher who then replied to the thread.

The tactic is designed to create a stronger impression that the activity is real, the researchers said, by employing a psychological phenomenon known as “social proof.” Sometimes referred to as “herd mentality,” the idea is that people are more likely to engage if they see others doing it, too.


The research lands amid a flurry of developments related to other Iranian cyberattacks. Last week, for instance, cybersecurity firm Mandiant classified a range of Iranian-linked hacking activity dating back several years under one threat umbrella dubbed APT42. The same day, Albania announced it was severing diplomatic ties with Iran over a string of mid-July cyberattacks that targeted government systems there.

Both the U.S. and the British governments backed up the Albanians’ assessment of Iranian responsibility, and Washington took it a step further Friday by announcing sanctions on the Iranian Ministry of Intelligence and its leader.

Various Iranian-linked spear phishing schemes are known for building rapport with potential victims over long periods of time. Even within TA453, they noted, some campaigns “engage in benign conversations with targets for weeks before delivering malicious links,” while others tend “to immediately send a malicious link in the initial email.”

TA453, the researchers noted, has typically masqueraded as a journalist or policy-adjacent individual claiming to want to work with or collaborate on research in order to target victims. “Benign conversations that eventually lead to credential harvesting links are hallmarks of TA453 activity,” the researchers said.

But this latest evolution marks an interesting leveling up and increased resource load on the attackers’ side, said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.


“This is an intriguing technique because it requires more resources to be used per target — potentially burning more personas — and a coordinated approach among the various personalities in use by TA453,” DeGrippo said in a statement.

In one example, the hackers impersonated a researcher with the Foreign Policy Research Institute, a legitimate Philadelphia-based think tank focused on international policy. In the email the researcher referenced another researcher at the Pew Research Center, who was cc’d on the email.

A day after the initial email sent by the first researcher, the second researcher responded to the thread and told the unnamed victim that the two were “looking forward to hearing from you.”

In that case, no malicious documents were sent. But in another, the group employed the same tactic using an initial researcher and three additional hacker-controlled accounts, who were cc’d on the initial email. In that case, the victim initially responded to to the email and the initial researcher sent a Microsoft OneDrive link containing a Microsoft Word document.

After the victim didn’t respond to additional emails, one of the three additional “researchers” dropped the first researcher from the thread and tried to get the victim to download the document.


“All threat actors are in constant states of iterating their tools, tactics, and techniques (TTPs), advancing some while deprecating others,” the researchers said. Even with MPI, they wrote, a potential next step is attempting to send a blank email and then responding to that blank email while including multiple “friends” in the cc line as a possible attempt to bypass security detection.

“Researchers involved in international security, particularly those specializing in Middle Eastern
studies or nuclear security, should maintain a heightened sense of awareness when receiving
unsolicited emails,” the researchers said. “For example, experts that are approached by journalists should check the journalist’s website to see if the email address belongs to the journalist.”

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts