.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Iranian‑linked threat groups often use a core set of initial access methods. The threat actors favor cost-effective, repeatable intrusion techniques that involve social engineering, quickly exploiting public vulnerabilities, and using compromised credentials to infiltrate systems. To build strong defense measures, organizations should reinforce identity, email, and perimeter security by implementing phishing-resistant multi-factor authentication, promptly patching exposed systems, monitoring for unusual authentication and remote management usage, and minimizing risk from weak or default credentials in both IT and OT environments.
This overview draws from Counter Threat Unit™ (CTU) observations of how various groups and operations have used initial access techniques since 2020. Threat groups will use any available method to compromise a target, but the following are their preferred approaches that underpin wide-ranging intrusion campaigns.
Phishing (T1566)
Phishing remains the most common initial access vector, relying on well-crafted social engineering to obtain credentials or trigger malware delivery. This category includes the following variants:
- T1566.001 - Spearphishing Attachment: Delivery of PDF/Office documents that contain embedded malicious links or lead to the installation of remote-control tools
- T1566.002 - Spearphishing Link: Emails directing recipients to credential harvesting pages hosted on common cloud services
- T1566.003 - Spearphishing via Service: Social engineering conducted over third-party platforms such as LinkedIn, webmail services, and cloud-hosted document providers
Key Iranian threat group behaviors
- Use of multistep rapport-building exchanges
- Impersonation of legitimate organizations or professionals
- Hosting of payloads or login traps on trusted cloud services (OneDrive, Google Drive, Onehub, Egnyte, Mega)
Exploitation of public-facing applications (T1190)
Threat actors frequently exploit newly disclosed or unpatched vulnerabilities in perimeter systems to obtain an initial foothold. Popular examples have included vulnerabilities in Fortinet FortiOS, Microsoft Exchange ProxyShell, and VMware Horizon/Log4Shell:
- CVE-2018-13379: Fortinet FortiOS vulnerability (path traversal in SSL VPN)
- CVE-2019-5591: Fortinet FortiOS vulnerability (sensitive information interception)
- CVE-2020-12812: Fortinet FortiOS SSL VPN vulnerability (authentication bypass)
- CVE-2021-34473: Microsoft Exchange Server ProxyShell vulnerability
- CVE-2021-26855: Microsoft Exchange Server ProxyShell vulnerability
- CVE-2021-26857: Microsoft Exchange Server ProxyShell vulnerability
- CVE-2021-26858: Microsoft Exchange Server ProxyShell vulnerability
- CVE-2021-27065: Microsoft Exchange Server ProxyShell vulnerability
- CVE-2021-44228: VMware Horizon Log4Shell vulnerability
As a general recommendation, organizations should prioritize patching of vulnerabilities listed in the U.S. Cybersecurity and Infrastructure Agency’s (CISA) Known Exploited Vulnerabilities Catalog.
Key Iranian threat group behaviors
- Rapid adoption of public exploit code
- Deployment of web shells for persistent access
- Use of these footholds to pivot deeper into internal networks
Password-based initial access (T1110.003, T1078.004)
Large-scale password-spraying campaigns target cloud identity platforms (e.g., Microsoft 365 / Entra ID). Successful authentication provides direct access to email, files, and user workloads.
- T1110.003 - Password Spraying: High-volume authentication attempts using common or weak passwords
- T1078.004 - Valid Accounts: Cloud Accounts: Use of successfully compromised credentials to access cloud services and perform follow-on actions
Key Iranian threat group behaviors
- Persistent attempts across thousands of tenant domains
- Initiation of discovery and persistence actions immediately after accounts are accessed
Remote monitoring and management (RMM) tool abuse (T1219)
A recurring tactic is the use of phishing emails that lead to installation of legitimate RMM agents such as ScreenConnect, Atera, PDQ, Action1, Syncro, Level, SimpleHelp, Remote Utilities, eHorus, and N-Able. These agents immediately grant remote execution capability without the need for malware.
- T1219.002 - Remote Desktop Software: Remote access tools used for command and control
Key Iranian threat group behaviors
- Abuse of trial licenses or compromised email accounts for RMM registration
- Remote scripting and credential dumping via the RMM console
Use of external remote services (T1133)
After credential theft or perimeter compromise, threat actors log in via legitimate remote access channels:
- VPN portals
- RDP endpoints
- Cloud-based remote access interfaces
Key Iranian threat group behaviors
- Use of compromised credentials rather than malware
- Blending in with legitimate administrative access patterns
Exploitation of default or weak credentials (T1078.001, T1078.003)
Some intrusions begin with access to devices, especially ICS or OT systems, that still use default or trivially guessable credentials. In 2023 Cyber Av3ngers, using default and weak credentials, conducted politically motivated cyberattacks by exploiting exposed Unitronics PLCs to disrupt water and other industrial control systems, including a U.S. municipal water authority, while spreading anti‑Israeli messaging.
- T1078.001 - Valid Accounts: Default Accounts
- T1078.003 - Valid Accounts: Local Accounts
Key Iranian threat group behaviors
- Exposure of internet-connected operational systems
- Quick pivot to defacement, reconnaissance, or disruption
Conclusion
Although Iranian-based threat actors will take advantage of any vulnerability or opportunity to compromise targeted systems, CTU™ analysis of numerous attacks has revealed a preference for certain techniques. Table 1 lists the techniques and associated MITRE ATT&CK® identifiers discussed in this report. For additional information about cyber threats posted by Iran state-sponsored threat actors, CISA has published numerous advisories and warnings.
| Technique | MITRE ID | What It Enables |
| Spearphishing (attachments, links, services) | Credential theft and malware or RMM installation | |
| Exploit Public-Facing Applications | Server or device compromise, web shell deployment | |
| Password Spraying | Cloud or remote access account takeover | |
| Valid Cloud Accounts | Post-authorization access to email, files, and cloud workloads | |
| Remote Access Tools: Remote Desktop Software | Remote control using legitimate admin tooling | |
| External Remote Services | Network entry via VPN or RDP using stolen credentials | |
| Default Credentials | Rapid access to exposed systems, including OT devices |
Table 1: Techniques used by Iran-based threat actors