Iranian APT “SmudgedSerpent” Phishes U.S. Policy Influencers, Raising Alarm for CISOs

What happened

A newly identified Iranian state-linked threat group, dubbed “UNK_SmudgedSerpent” by Proofpoint, carried out targeted phishing campaigns between June and August 2025 that impersonated U.S. foreign-policy experts.

The group used slight misspellings of legitimate Gmail accounts and lures offering joint research, then redirected targets to fake Microsoft 365 credential pages.

When first-phase credential theft didn’t succeed, the campaign reportedly deployed remote monitoring and management (RMM) software, an unusual tactic among Iranian threat actors.

Who is affected

Primary targets included U.S. think-tank scholars such as Suzanne Maloney (Vice President and Director, Foreign Policy Program at the Brookings Institution) and Patrick Clawson (economist and Middle East scholar).

While this campaign focused on policy wonks, the underlying TTPs (credential phishing, impersonation, and RMM installation) pose a risk to any organisation that engages with external collaborators or uses cloud productivity suites.

Why CISOs should care

• The campaign highlights how sophisticated adversaries exploit social engineering and account impersonation in niche high-value sectors. Even if you’re outside traditional “critical infrastructure,” your organisation may still be at risk if its stakeholders are high-profile or engage internationally.
• Attackers who deploy RMM tools broaden their impact beyond credential theft, enabling persistent access and lateral movement. This blurs the line between espionage and full compromise.
• Attribution remains uncertain; Proofpoint notes the overlap with multiple Iranian APT groups. Without clear attribution, defenders must plan for evolving hybrid tactics rather than rely on known signatures.

3 Practical Actions for CISOs

1. Strengthen email identity verification and impersonation defenses: Enforce DMARC, DKIM, and SPF for inbound mail, and consider anti-spoofing tools. Train staff to vet unexpected collaboration requests, especially from external addresses that slightly deviate from trusted domains.
2. Hard-lock access to productivity suites and monitor for unusual activity: Require multifactor authentication (MFA) for all accounts (especially those with collaborator access to tools like Microsoft 365). Monitor for suspicious RMM installer execution and anomalous account logins (e.g., from new IP addresses or devices).
3. Simulate targeted phishing campaigns and test incident response readiness: Run red-teaming or email-phishing drills that mimic high-value impersonation attacks. Ensure your security operations centre (SOC) has visibility into credential-harvest attempts and is prepared to respond to downstream RMM tool deployment.