2026-05-134 minhigh

Weaponizing Fear: Iran Conflict-Themed Phishing Uses Fake Emergency Alerts

A recent phishing campaign exploits public anxiety regarding the Middle East conflict by distributing fake government emergency alerts. The emails use embedded QR codes to direct victims through a deceptive human verification check, ultimately landing them on a fraudulent Microsoft sign-in page designed to harvest their credentials.

Conf:highAnalyzed:2026-04-06reports

Authors: Harsh Patel

ActorsIran Conflict-Themed Phishing Campaign

Phishing Quishing Social Engineering Credential Harvesting

Source:Cofense

IOCs · 3

url
hXXps://global[[.]]sharedfilescorps[[.]]com/interior/Stage 2 observed payload URL.
url
hXXps://ministry[[.]]sharedfilescorps[[.]]com/interior/$Stage 1 observed email infection URL.
url
hXXps://wivoumea[[.]]ru/HAPApOYtrk1Zzs0iF6mk@/$Stage 2 observed payload URL hosting the fake human verification page.

Key Takeaways

Threat actors are exploiting fears surrounding the Middle East conflict by impersonating government emergency alerts.
The campaign utilizes QR codes (Quishing) embedded in the email body to bypass traditional email security gateways.
Victims are routed through a fake 'human verification' page to build trust before landing on the final payload.
The ultimate goal is credential harvesting via a fraudulent Microsoft sign-in page.

Affected Systems

Microsoft Accounts
Email

Attack Chain

The attack begins with a phishing email impersonating a government emergency alert regarding the Iran conflict. The email contains a QR code that, when scanned by the victim, directs them to a malicious URL. The victim is first presented with a fake 'human verification' page to establish legitimacy and lower suspicion. Upon clicking the checkbox, the victim is redirected to a fraudulent Microsoft sign-in page designed to harvest their account credentials.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: None — This is a credential harvesting attack that occurs entirely within the user's web browser and does not involve executing malware or dropping files on the endpoint. Network Visibility: Medium — Network proxies and DNS logs can capture the resolution and HTTP requests to the malicious domains, provided the user scans the QR code while connected to the corporate network. Detection Difficulty: Moderate — The use of QR codes (Quishing) effectively bypasses traditional email link scanners, requiring OCR capabilities or user reporting to detect the malicious payload.

Required Log Sources

Email Gateway Logs
DNS Logs
Web Proxy Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Users may be receiving emails with the subject 'Public Safety Advisory - Action Recommended' originating from suspicious Australian domains.	Email Gateway Logs	Initial Access	Low
Endpoints may be resolving or connecting to the known malicious domains sharedfilescorps.com or wivoumea.ru.	DNS Logs, Web Proxy Logs	Execution	Low

Control Gaps

Traditional Email Link Scanning (bypassed via QR codes)

Key Behavioral Indicators

Emails containing QR codes combined with urgent, fear-inducing language regarding geopolitical events.
Web traffic to domains ending in .ru immediately following a QR code scan.

False Positive Assessment

Low, as the provided indicators (domains, IPs, and email addresses) are highly specific to this malicious phishing campaign.

Recommendations

Immediate Mitigation

Block the identified IP addresses and domains at the firewall and web proxy.
Search mailboxes for the sender address 'ministryofinterior-civildefensenetwork@qualitycollection[.]com[.]au' and purge matching emails.

Infrastructure Hardening

Implement or enable Optical Character Recognition (OCR) capabilities in email security gateways to scan and analyze embedded QR codes.

User Protection

Enforce Multi-Factor Authentication (MFA) for all Microsoft accounts and critical applications to mitigate the impact of compromised credentials.

Security Awareness

Train employees to be highly suspicious of emails demanding immediate action via QR codes, especially those exploiting current events or emergencies.
Instruct users to verify emergency alerts through official government channels rather than scanning unknown QR codes.

MITRE ATT&CK Mapping

T1566.002 - Phishing: Spearphishing Link
T1204.001 - User Execution: Malicious Link
T1056.002 - Input Capture: GUI Input Capture

Additional IOCs

Domains:
- qualitycollection[[.]]com[[.]]au - Sender domain for the phishing emails.
- ministry[[.]]sharedfilescorps[[.]]com - Domain used in Stage 1 infection URL.
- global[[.]]sharedfilescorps[[.]]com - Domain used in Stage 2 payload URL.
- wivoumea[[.]]ru - Domain hosting the fake human verification and Microsoft phishing pages.
Urls:
- wivoumea.ru/jq89qka9r7om3?7f012787b998-226d10437801ddde40d0454e20-99743303e859fc5dcf7f6c34b60092a-befbf087b13795bd1740d341f191a/ - Full URL path observed in the screenshot for the Microsoft phishing page.
Other:
- Public Safety Advisory - Action Recommended - Subject line of the phishing email.