In August 2025, Oman’s Foreign Ministry fell victim to a sophisticated Iranian state-sponsored phishing campaign executed by the *Homeland Justice* group, linked to Iran’s Ministry of Intelligence and Security. The attack compromised the ministry’s email system, enabling hackers to send malicious Word documents disguised as diplomatic correspondence to ~200 high-profile recipients, including Egyptian officials in Cairo and Paris, as well as U.S. and Qatari mediators involved in Gaza ceasefire negotiations.The malware embedded in the documents deployed offensive cyber-espionage tools, allowing attackers to monitor targets, intercept emails, and record private conversations. While no direct infrastructure disruption or mass data theft was reported, the breach eroded diplomatic trust, risked leaking sensitive negotiation details, and could have manipulated geopolitical outcomes particularly the Gaza ceasefire process. The attack mirrored Iran’s broader regional espionage strategy, previously seen in operations like the 2023 Albania cyberattack.Dream Security’s AI-driven forensic analysis traced the campaign’s infrastructure, exposing the group’s methods and potential for future disruptions. The incident underscores how cyber operations are weaponizing diplomatic channels, blending cyber warfare with traditional statecraft to achieve strategic influence.
Source: https://www.ynetnews.com/business/article/r153ei1cxx
TPRM report: https://www.rankiteo.com/company/foreign-ministry-of-oman
"id": "for907083025",
"linkid": "foreign-ministry-of-oman",
"type": "Cyber Attack",
"date": "6/2023",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'customers_affected': '200+ recipients (including '
'Egyptian officials, US/Qatar '
'mediators)',
'industry': 'diplomacy/foreign affairs',
'location': 'Oman',
'name': 'Oman’s Foreign Ministry',
'type': 'government'},
{'industry': 'diplomacy/foreign affairs',
'location': 'Egypt',
'name': 'Egyptian Government (Cairo office)',
'type': 'government'},
{'industry': 'diplomacy/foreign affairs',
'location': 'France',
'name': 'Egyptian Government (Paris office)',
'type': 'government'},
{'industry': 'diplomacy/conflict resolution',
'location': 'United States',
'name': 'United States Mediators',
'type': 'government'},
{'industry': 'diplomacy/conflict resolution',
'location': 'Qatar',
'name': 'Qatar Mediators',
'type': 'government'}],
'attack_vector': ['spear-phishing emails', 'malicious Word documents'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Word documents (.doc/.docx)'],
'sensitivity_of_data': 'high (classified diplomatic '
'communications)',
'type_of_data_compromised': ['diplomatic emails',
'correspondence',
'recorded conversations']},
'date_detected': '2025-08',
'description': 'The attack, identified in August 2025, targeted the email '
'account of Oman’s Foreign Ministry. Hackers sent messages '
'disguised as diplomatic correspondence to roughly 200 '
'recipients, including Egyptian officials in Cairo and Paris, '
'alongside mediators from the United States and Qatar. The '
'emails contained Word documents appearing to be official '
'letters from Oman. When opened, the files unleashed malicious '
'code that converted into offensive cyber software designed to '
'monitor the target, read correspondence, and record '
"conversations. The campaign was attributed to the 'Homeland "
"Justice' group, linked to Iran’s Ministry of Intelligence and "
'Security, and focused on diplomatic communications, '
'potentially influencing the Gaza ceasefire process.',
'impact': {'brand_reputation_impact': ['erosion of diplomatic credibility',
'loss of trust in secure '
'communications'],
'data_compromised': ['diplomatic correspondence',
'recorded conversations',
'email communications'],
'operational_impact': ['compromised diplomatic trust',
'potential influence on Gaza ceasefire '
'negotiations'],
'systems_affected': ['email accounts',
'end-user devices (via malicious documents)']},
'initial_access_broker': {'backdoors_established': True,
'entry_point': 'phishing emails with malicious Word '
'attachments',
'high_value_targets': ['diplomatic officials',
'ceasefire mediators']},
'investigation_status': 'Ongoing (AI-driven forensic analysis completed; '
'operational methods exposed)',
'lessons_learned': ['Diplomatic email channels are high-value targets for '
'state-sponsored espionage.',
'AI-driven threat intelligence can effectively map and '
'disrupt advanced phishing campaigns.',
'Geopolitical tensions correlate with increased cyber '
'espionage targeting diplomatic entities.',
'Malicious documents remain a primary vector for initial '
'access in espionage operations.'],
'motivation': ['espionage',
'geopolitical influence',
'diplomatic surveillance'],
'post_incident_analysis': {'corrective_actions': ['Deployment of AI agents '
'for real-time phishing '
'detection (as demonstrated '
'by Dream Security).',
'Diplomatic cybersecurity '
'drills focusing on social '
'engineering attacks.',
'Adoption of secure '
'communication platforms '
'resistant to '
'document-based exploits.'],
'root_causes': ['Lack of advanced email filtering '
'for diplomatic correspondence.',
'Over-reliance on traditional '
'document formats (e.g., Word) for '
'sensitive communications.',
'Insufficient threat intelligence '
'sharing among targeted nations.']},
'recommendations': ['Implement AI-based email security solutions to detect '
'sophisticated phishing attempts.',
'Enhance authentication protocols for diplomatic '
'communications (e.g., multi-factor authentication, '
'digital signatures).',
'Conduct regular red-team exercises simulating '
'state-sponsored phishing campaigns.',
'Establish cross-border cybersecurity cooperation to '
'counter regional espionage threats.',
'Monitor dark web forums for signs of stolen diplomatic '
'data or attack infrastructure.'],
'references': [{'source': 'Dream Security Report (2025)'},
{'source': 'Historical comparison to 2023 Iran-linked attack '
'in Albania'}],
'response': {'enhanced_monitoring': ['AI-driven dark web/open-web scanning',
'forensic analysis of attack '
'infrastructure'],
'incident_response_plan_activated': True,
'third_party_assistance': ['Dream Security']},
'stakeholder_advisories': ['Diplomatic entities in the Middle East and North '
'Africa (MENA) region',
'Gaza ceasefire negotiation teams',
'Cybersecurity agencies monitoring Iranian threat '
'actors'],
'threat_actor': {'affiliation': 'Iran’s Ministry of Intelligence and Security '
'(MOIS)',
'name': 'Homeland Justice',
'type': 'state-sponsored'},
'title': 'Iranian Phishing Operation Targeting Oman’s Foreign Ministry (2025)',
'type': ['cyber espionage', 'phishing', 'malware attack']}