Iris CoxWhat's happening in email security: March 23–29, 2026
Russia's FSB expanded their spear-phishing playbook to include an iOS exploit kit. In the same week, Iran-linked hackers compromised the FBI Director's personal email through a recycled password. Different actors, different targets, same gap: high-value individuals reached through channels that enterprise security doesn't cover.
Russian FSB-Linked TA446 Deploys iOS Exploit Kit via Spear-Phishing
On March 26, TA446 (also tracked as Callisto, COLDRIVER, and Star Blizzard) sent spear-phishing emails impersonating the Atlantic Council. It's a credible institutional lure for the think tank and government targets this group typically goes after. The emails directed recipients to a link delivering the DarkSword exploit kit and GHOSTBLADE dataminer. The payload only fired for recipients browsing on an iPhone.
Server-side filtering checked user-agent strings and served the exploit exclusively to iPhone browsers. Desktop browsers got a benign redirect. This isn't just evasion. It's targeting. iCloud credentials were the primary objective, and those exist on Apple devices. The filtering also means the attack chain was invisible to automated scanning tools, which don't typically run on mobile environments.
DarkSword is an iOS exploit kit that leaked from the commercial spyware market. TA446 using it marks the group's first known iOS targeting capability. Previously, their campaigns focused on credential theft through conventional phishing pages aimed at desktop email clients. Adding iOS exploit kit delivery changes the threat profile for high-value individuals who use personal iPhones for work-adjacent communications.
TA446's documented target scope covers government entities, think tanks, education institutions, finance, and legal organizations. Russian opposition politician Leonid Volkov was specifically named as a target in this campaign, consistent with the FSB's interest in tracking political opposition figures alongside Western intelligence targets.
The Atlantic Council impersonation is deliberate. It's a credible sender for policy discussion invitations, research briefings, or conference invites. Exactly the kind of email a government or think tank contact opens without hesitation.
TA446 is not a mid-tier actor. They are FSB. And they just added mobile to their spear-phishing toolkit.
Iran-Linked Hackers Breach FBI Director's Personal Email
On March 28, Handala Hack (MOIS-linked, also tracked as Banished Kitten, Red Sandstorm, and Void Manticore) confirmed they'd breached FBI Director Kash Patel's personal email account. Leaked data spans 2010–2019, with at least one 2022 email in the dump. The FBI confirmed no government systems were involved.
The reported method is credential reuse from a prior data breach. The FBI Director's personal inbox, sitting outside enterprise security controls, compromised via a recycled password. Motivation was geopolitical retaliation for U.S. domain seizures and broader tensions with Iran.
It's a useful reminder that seniority doesn't equal security hygiene, and that personal accounts are legitimate intelligence targets regardless of what's in them.
Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware
Last week Microsoft disclosed a February 10 campaign that hit 29,000+ users across 10,000+ organizations in a single wave. Phishing emails delivered via Amazon SES impersonated the IRS with tax transcript lures, directing recipients to download a fake "IRS Transcript Viewer" that installed ConnectWise ScreenConnect for remote access and post-exploitation. Datto and SimpleHelp appeared as alternative RMM tools.
Amazon SES delivery is the operationally relevant detail. Filters scoring sender reputation rather than inspecting content will pass these. Financial services, tech, and retail absorbed the heaviest volume at 19%, 18%, and 15% respectively. The sending domain used was smartvault[.]im.
Silver Fox Preys on Japanese Firms with Tax-Season Spearphishing
Chinese-linked threat actor Silver Fox is targeting Japanese manufacturers and businesses with spearphishing timed to Japan's annual tax and organizational change season. Silver Fox spoofed sender fields to appear as real named employees and executives at each target organization, not generic external senders.
Lures covered tax compliance violations, salary adjustments, personnel changes, and employee stock ownership plans, all plausible topics for this time of year. Silver Fox conducted reconnaissance on targets beforehand. These weren't generic blasts. The malware delivered is ValleyRAT, enabling remote access and data theft.
Display-name and sender-field spoofing of known individuals is a harder detection problem than external brand impersonation. DMARC enforcement on the impersonated domain only helps if attackers are using that exact domain to send. Lookalike domains that authenticate independently don't trip it.
Russian Hacker Sentenced to 2 Years for TA551 Botnet-Driven Ransomware Attacks
Ilya Angelov, one of the operators behind TA551, received a 2-year sentence and $100,000 fine this week. TA551 ran from 2017 to 2021 as one of the most active email-based initial access brokers, distributing malware through spam campaigns with password-protected archives and macro-enabled documents, then selling network access to ransomware affiliates. BitPaymer pulled $14.17M from 72+ U.S. companies via that access. IcedID generated over $1M more.
Two years is a light sentence for that damage scale. The fine is a rounding error relative to the extortion generated. It's still another data point in the slow grind of enforcement against malspam infrastructure operators.
- Device Code Phishing Hits 340+ Microsoft 365 Orgs Via OAuth Abuse
EvilTokens PhaaS linked to APT29 and Storm-2372 has compromised 340+ M365 organizations since February, abusing the OAuth device code flow to capture refresh tokens that survive password resets, with redirect chains running through Cisco, Trend Micro, and Mimecast services to bypass email filters.
- AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion
Adversary-in-the-middle campaigns used Cloudflare Turnstile CAPTCHA as a scanner-evasion gate before harvesting TikTok for Business credentials, with compromised accounts subsequently used to push malvertising distributing Vidar, StealC, and Aura Stealer.