APT35 Under Attack: Government and Military Login Credentials Stolen. Immediate Defense Plan.

By CyberDudeBivash • October 02, 2025, 04:45 PM IST • APT Threat Intelligence Report

This is a critical threat briefing for all government, military, and diplomatic personnel and the security teams that protect them. The Iranian state-sponsored espionage group **APT35 (Charming Kitten)** is conducting a highly successful campaign to compromise the Microsoft 365 and Google Workspace accounts of high-value targets. This is not a theoretical threat; we have credible intelligence that they are actively stealing credentials and gaining persistent access to sensitive mailboxes. They are achieving this by using a sophisticated **”Vishing-to-OAuth”** attack chain that bypasses traditional MFA methods like SMS and authenticator apps. Your account is the target, and their social engineering is relentless. This is your immediate defense plan.

Disclosure: This is a threat intelligence report for security professionals and high-risk individuals. It contains affiliate links to security solutions that can mitigate these threats. Your support helps fund our independent research.

Recommended by CyberDudeBivash — The Anti-Espionage Stack

The only technical control to defeat this attack is phishing-resistant MFA.Get a YubiKey Now →

Are you a high-risk individual? Need a personal security audit?
Hire CyberDudeBivash for personal security consultations and threat briefings.

Defense Plan: Table of Contents

Chapter 1: The Kill Chain — How the ‘Vishing-to-OAuth’ Attack Works

As we’ve detailed in our previous reports on threat actor **UNC6040**, this attack chain is brutally effective because it combines human manipulation with modern cloud architecture abuse.

**Reconnaissance:** APT35 identifies a target (e.g., a policy advisor at a government ministry) and finds their direct phone number.
**The Vishing Call:** The attacker calls the target, impersonating a helpdesk technician from their own agency or from Microsoft. They use an urgent pretext: “Hello, this is IT support. We’re seeing critical security alerts from your M365 account and need you to help us re-sync your security profile immediately.”
**The Malicious App:** The attacker directs the user to a specific website. This site initiates a legitimate Microsoft 365 login, but it’s for the purpose of granting permissions to the attacker’s malicious third-party OAuth application.
**Social Engineering the “Accept” Click:** The attacker stays on the phone, building trust and urgency. When the Microsoft “Permissions requested” screen appears, the attacker says, “Okay, you’ll now see the prompt for our new security tool. Please click ‘Accept’ to approve the sync.”
**Account Takeover:** The user clicks “Accept.” The attacker’s app is now granted a permanent access token to the user’s email, calendar, contacts, and files. The attacker never needed the user’s password; they tricked the user into giving them a key.

Chapter 2: Technical Deep Dive — The Mechanics of Illicit OAuth Consent

This attack does not bypass MFA in the traditional sense; it makes it irrelevant. OAuth 2.0 is the framework that lets you grant one application permission to access your data in another. The attack hinges on tricking you into granting dangerous permissions to a malicious app.

The permissions APT35 requests are typically the most invasive ones available:

`Mail.ReadWrite`: Read, write, and delete all your emails.
`Files.ReadWrite.All`: Read and write all your files in OneDrive and SharePoint.
`offline_access`: The attacker’s app can continue to access your data even when you are logged off.

Once you click “Accept,” the attacker’s app receives an access token. It can now use this token programmatically from its own servers to access your data at any time, until the grant is manually revoked by an administrator.

Chapter 3: THE IMMEDIATE DEFENSE PLAN — A Guide for Targeted Personnel

If you are a government, military, or diplomatic employee, you are a target. You must adopt these behaviors immediately.

1. TRUST NO UNSOLICITED CALLS. EVER.

If you receive an unexpected call from someone claiming to be from IT support, no matter how convincing they are, **do not follow their instructions.** State that you will call them back through an official channel. Hang up, and then call your helpdesk’s official, known phone number to verify the request.

2. NEVER APPROVE AN MFA PROMPT YOU DID NOT INITIATE

If a push notification or authentication prompt appears on your phone when you are not actively trying to log in, **always deny it**. This is a sign that an attacker has your password and is trying to bypass your MFA.

3. UPGRADE TO PHISHING-RESISTANT MFA

Traditional MFA is phishable. Your organization must move to **phishing-resistant MFA**, specifically hardware security keys using the FIDO2 standard.
This is the only technical control that reliably defeats this class of attack. Learn everything you need to know in our definitive **Ultimate Guide to Phishing-Resistant MFA and Hardware Keys**.

Chapter 4: For Admins — A Technical Playbook for Hardening Your Tenant

As a Microsoft 365 or Google Workspace administrator, you have the power to block this attack vector at the source.

**Block User Consent:** This is the most critical technical control. In your Azure Active Directory portal, navigate to `Enterprise applications > Consent and permissions > User consent settings`. Set this to **”Do not allow user consent.”** This will prevent users from being able to approve any new applications themselves.
**Implement an Admin Consent Workflow:** Configure an admin consent workflow. This allows users to “request” access to a new app, which a qualified administrator can then review and approve or deny.
**Audit All Existing OAuth Applications:** You must assume you may already be compromised. Go to the `Enterprise applications` blade and audit every single application that has been granted permissions in your tenant. Review their permissions and revoke access for any app that is unrecognized, unused, or has overly broad permissions.

Chapter 5: Strategic Summary & Indicators of Compromise (IOCs)

APT35’s continued success proves that social engineering remains the most effective attack vector against even well-defended organizations. Their shift to AiTM and illicit consent grants is a direct response to the widespread adoption of traditional MFA. The defense must now evolve as well, combining robust user training with strict technical controls on application consent and a move towards truly phishing-resistant authentication methods.

Indicators of Compromise (IOCs)

Security teams should hunt for the following artifacts associated with APT35 campaigns:

**OAuth Application Names:** Look for newly created Enterprise Apps with generic names like `O365 Security`, `Email Sync`, or names that mimic real software but were registered recently.
**Domains:** Phishing links originating from typosquatted domains of academic or policy conferences.
**Audit Log Events:** Search M365 unified audit logs for `”Consent to application”` events from non-administrator users, especially when followed by unusual `MailItemsAccessed` or `FileAccessed` events from the application’s service principal.

🔒 Secure Your Organization with CyberDudeBivash

APT Threat Intelligence & Executive Briefings
Cloud Security (M365/Azure) Hardening
Corporate Incident Response

About the Author

CyberDudeBivash is a cybersecurity strategist and researcher with over 15 years of experience tracking nation-state actors, analyzing phishing campaigns, and architecting identity security solutions. He provides strategic advisory services to CISOs and boards across the APAC region. [Last Updated: October 02, 2025]

#CyberDudeBivash #APT35 #CharmingKitten #Phishing #MFA #OAuth #CyberSecurity #ThreatIntel #InfoSec #Espionage #Microsoft365

Cyberdudebivash