Microsoft said it detected a series of cyber-attacks aimed at more than 100 high-profile potential attendees of the upcoming Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia. The culprit behind the attacks was identified as Phosphorus (aka APT35 or Newscaster Team), an Iran-linked threat actor that typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, aw well as organizations in the media, energy, engineering, business services and telecommunications sectors.

APT35, which has been active since at least 2013, primarily targets individuals and entities of strategic interest to the Iranian government using phishing attacks and email compromise operations.

The attacks involved spoofed emails with invitations ostensibly sent from organizers of the Munich Security Conference, one of the main global security and policy conferences attended by heads of state, and the Think 20 Summit in Saudi Arabia, scheduled for later this month. According to Microsoft, emails were written in “nearly perfect English” and were sent to former government officials, policy experts, academics and leaders from non-governmental organizations.

“Phosphorus helped assuage fears of travel during the Covid-19 pandemic by offering remote sessions,” Microsoft said.

In several instances the Phosphorus group has managed to compromise their targets, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries. Microsoft did not dive into details regarding the purpose behind these attack, only said that “Phosphorus is engaging in these attacks for intelligence collection purposes.”

“We’ve already worked with conference organizers who have warned and will continue to warn their attendees, and we’re disclosing what we’ve seen so that everyone can remain vigilant to this approach being used in connection with other conferences or events,” Microsoft added.

Earlier this year, APT35 accidentally exposed 40 GB of data including video footage of themselves conducting hacking operations due to a misconfiguration of security settings on a virtual private cloud server. The video demonstrated how the hackers access compromised Gmail and Yahoo Mail accounts to download their contents, as well as exfiltrate other Google-hosted data from victims.