Microsoft says Iranian hackers targeted ‘high profile’ conference attendees

Microsoft says hackers backed by the Iranian government targeted over 100 high-profile potential attendees of two international security and policy conferences.

The group, known as Phosphorus (or APT35), sent spoofed emails masquerading as organizers of the Munich Security Conference, one of the main global security and policy conferences attended by heads of state, and the Think 20 Summit in Saudi Arabia, scheduled for later this month. Microsoft said the spoofed emails were sent to former government officials, academics and policy makers to steal passwords and other sensitive data, like email inboxes.

Microsoft did not comment, when asked, what the goal of the operation was, but the company’s customer security and trust chief Tom Burt said the attacks were carried out for “intelligence collection purposes.”

“The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries,” said Burt. “We’ve already worked with conference organizers who have and will continue to warn their attendees, and we’re disclosing what we’ve seen so that everyone can remain vigilant to this approach being used in connection with other conferences or events.”

Microsoft said the attackers would write emails written in “perfect English” to their target requesting an invitation to the conference. After the target accepted the invitation, the attackers would try to trick the victim into entering their email password on a fake login page. The attackers then later log in to the mailbox to steal the victim’s emails and contacts.

The group’s previous hacking campaigns have also tried to steal passwords from high-profile victims.

Iran’s consulate in New York could not be reached for comment as its website was down.

Phosphorus is known to target high-profile individuals, like politicians and presidential hopefuls. But Microsoft said that this latest attack was not related to the upcoming U.S. presidential election.

Last year, Microsoft said it had notified more than 10,000 victims of state-sponsored hacking, including Phosphorus and another Iran-backed group, Holmium, also known as APT 33. In March, the tech giant secured a court order to take control of domains used by Phosphorus, which were used to steal credentials using fake Google and Yahoo login pages.

An earlier version of this story incorrectly said Microsoft had stopped over 10,000 victims of state-sponsored hacking, when it had notified those victims.