Iranian-linked threat groups commonly rely on a small set of initial access methods. These actors prefer techniques that are low cost, easy to repeat, and effective. Most attacks involve social engineering, exploiting public vulnerabilities quickly, or using stolen credentials to access systems.
To defend against these threats, organizations should strengthen identity security, email security, and perimeter protection. Important measures include:
- Using phishing-resistant multi-factor authentication (MFA)
- Patching exposed systems quickly
- Monitoring for unusual authentication attempts and remote management activity
- Reducing risk from weak or default credentials in both IT and OT environments
This overview is based on observations from the Counter Threat Unit (CTU) on how Iranian-linked groups have used initial access techniques since 2020. Although threat actors may use any available method, several techniques appear repeatedly across many intrusion campaigns.
Phishing (T1566)
Phishing is still the most common initial access method. Attackers use social engineering to steal credentials or deliver malware.
Common phishing variants include:
- T1566.001 – Spearphishing Attachment
Attackers send emails with PDF or Office documents that contain malicious links or lead to installation of remote-control tools. - T1566.002 – Spearphishing Link
Emails contain links that redirect users to credential harvesting pages, often hosted on common cloud services. - T1566.003 – Spearphishing via Service
Social engineering messages sent through third-party platforms such as LinkedIn, webmail services, or cloud document platforms.
Common behaviors observed
- Multi-step conversations to build trust with targets
- Impersonating legitimate organizations or professionals
- Hosting malicious payloads or login pages on trusted services such as OneDrive, Google Drive, Onehub, Egnyte, and Mega
Exploiting Public-Facing Applications (T1190)
Threat actors frequently exploit newly disclosed or unpatched vulnerabilities in systems exposed to the internet. This allows them to gain an initial foothold inside the network.
Common targets include VPN gateways, email servers, and web applications.
Examples of exploited vulnerabilities include:
- CVE-2018-13379 – Fortinet FortiOS path traversal vulnerability in SSL VPN
- CVE-2019-5591 – Fortinet FortiOS sensitive information interception
- CVE-2020-12812 – Fortinet FortiOS SSL VPN authentication bypass
- CVE-2021-34473 – Microsoft Exchange ProxyShell vulnerability
- CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 – Microsoft Exchange ProxyShell vulnerabilities
- CVE-2021-44228 – Log4Shell vulnerability affecting VMware Horizon and other systems
Organizations should prioritize patching vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
Common behaviors observed
- Fast adoption of public exploit code
- Deployment of web shells for persistent access
- Using the compromised system to move deeper into internal networks
Password-Based Initial Access
(T1110.003, T1078.004)
Iranian threat groups frequently run large password-spraying campaigns targeting cloud identity platforms such as Microsoft 365 or Entra ID.
Once attackers successfully log in, they can immediately access:
- Email accounts
- Files and shared storage
- Cloud workloads and services
Relevant techniques include:
- T1110.003 – Password Spraying
High-volume login attempts using common or weak passwords. - T1078.004 – Valid Accounts: Cloud Accounts
Attackers use compromised credentials to access cloud environments.
Common behaviors observed
- Password spraying across thousands of tenant domains
- Performing discovery and persistence actions immediately after access
Abuse of Remote Monitoring and Management Tools (T1219)
Another common technique is installing legitimate Remote Monitoring and Management (RMM) tools after phishing attacks.
These tools give attackers remote access without needing traditional malware.
Commonly abused RMM tools include:
- ScreenConnect
- Atera
- PDQ
- Action1
- Syncro
- Level
- SimpleHelp
- Remote Utilities
- eHorus
- N-Able
Relevant technique:
- T1219.002 – Remote Desktop Software
Using legitimate remote access tools for command and control.
Common behaviors observed
- Using trial licenses or compromised email accounts to register RMM software
- Running remote scripts and credential-dumping tools through the RMM console
Use of External Remote Services (T1133)
After stealing credentials or exploiting a perimeter system, attackers often access the network using legitimate remote access channels.
Examples include:
- VPN portals
- Remote Desktop Protocol (RDP)
- Cloud-based remote access services
Common behaviors observed
- Using stolen credentials instead of malware
- Blending in with normal administrative activity
Exploitation of Default or Weak Credentials
(T1078.001, T1078.003)
Some attacks begin because devices are still using default or easily guessed credentials, especially in ICS or OT environments.
In 2023, the group Cyber Av3ngers used weak and default credentials to compromise exposed Unitronics PLCs. These attacks targeted water and industrial control systems, including a U.S. municipal water authority, and included anti-Israeli messaging.
Relevant techniques include:
- T1078.001 – Valid Accounts: Default Accounts
- T1078.003 – Valid Accounts: Local Accounts
Common behaviors observed
- Internet-exposed operational systems
- Rapid pivot to system defacement, reconnaissance, or disruption
Conclusion
Iranian state-linked threat actors will exploit any available opportunity to compromise a target. However, analysis from the Counter Threat Unit shows a clear preference for several repeatable initial access techniques.
| Technique | MITRE ATT&CK ID | What It Enables |
|---|---|---|
| Spearphishing (attachments, links, services) | T1566.001 / T1566.002 / T1566.003 | Credential theft and malware or RMM installation |
| Exploit Public-Facing Applications | T1190 | Server or device compromise, web shell deployment |
| Password Spraying | T1110.003 | Cloud or remote account takeover |
| Valid Cloud Accounts | T1078.004 | Access to email, files, and cloud workloads |
| Remote Access Tools (Remote Desktop Software) | T1219.002 | Remote control using legitimate administrative tools |
| External Remote Services | T1133 | Network access through VPN or RDP using stolen credentials |
| Default Credentials | T1078.001 / T1078.003 | Rapid compromise of exposed systems, including OT devices |
For more information about Iranian state-sponsored cyber activity, organizations can review threat advisories published by CISA and other security agencies.
