Weaponized Iran‑Conflict Phishing Campaign Uses Fake Emergency Alerts to Harvest Microsoft Credentials

Weaponized Iran‑Conflict Phishing Campaign Uses Fake Emergency Alerts to Harvest Microsoft Credentials

What Happened — Cofense’s Phishing Defense Center uncovered a mass‑phishing operation that masquerades as a government “Public Safety Advisory” tied to the Iran‑Israel‑U.S. conflict. The email, sent from a spoofed ministryofinterior‑civildefensenetwork@qualitycollection.com.au address, urges recipients to scan a QR code; the code redirects to a Microsoft‑styled login page that harvests credentials.

Why It Matters for TPRM —

• Phishing lures tied to geopolitical events can bypass standard awareness training that focuses on generic scams.
• Credential theft enables downstream attacks on third‑party SaaS, cloud services, and supply‑chain partners.
• QR‑code delivery bypasses URL‑filtering controls, exposing any organization that permits mobile‑device scanning.

Who Is Affected — Government agencies, defense contractors, energy utilities, multinational enterprises, and any organization with staff in or monitoring the Middle‑East region.

Recommended Actions —

• Enforce QR‑code scanning restrictions on corporate devices.
• Deploy real‑time phishing detection that flags emergency‑alert language and spoofed government domains.
• Conduct targeted awareness drills that reference current geopolitical narratives.
• Verify that email‑gateway rules block spoofed qualitycollection.com senders and similar look‑alike domains.

Technical Notes — Attack vector: phishing email with QR‑code link → “human verification” page → Microsoft‑look‑alike credential harvest. No known CVE; relies on social engineering and brand impersonation. Source: Cofense Intelligence