Iranian state-sponsored threat groups like OilRig and Charming Kitten are bypassing traditional security by targeting cloud identity systems after stealing employee credentials, leaving organizations vulnerable for extended periods. Rather than deploying obvious malware, these attackers register unauthorized devices, establish persistent command-and-control channels, and operate quietly within Microsoft 365 environments. Security researchers have now published specific detection methods that can identify these intrusions in minutes, but most organizations haven't implemented them yet. Why Are Iranian APT Groups Targeting Cloud Identity Systems? Cloud identity platforms like Microsoft 365 have become the new perimeter for enterprise security. Once attackers compromise a single employee credential through phishing, they gain access to email, file storage, and authentication systems. Unlike traditional network breaches, cloud-based intrusions leave fewer obvious traces because the attacker is using legitimate credentials and trusted infrastructure. APT35, also known as Charming Kitten, specializes in credential harvesting campaigns. After obtaining valid login credentials, attackers take a patient approach. They don't immediately steal data or launch ransomware. Instead, they register new devices within the tenant, a tactic that allows them to maintain access even if the original password is changed and may bypass conditional access rules tied to trusted devices. This transforms the attacker into what appears to be a legitimate endpoint inside the environment. APT34, known as OilRig, operates similarly but focuses on long-running espionage campaigns targeting government, financial, and energy organizations. Both groups rely on persistent communication with attacker-controlled infrastructure, often hosted on compromised servers or low-cost virtual private servers (VPS) providers. What Detection Methods Can Catch These Attacks Before They Spread? Security researchers at Vectra AI have published six specific threat hunts designed to surface Iranian APT activity within minutes. These hunts leverage network traffic analysis and cloud identity audit logs, the two places where attackers leave the earliest evidence of compromise. The detection approach focuses on three primary attack patterns: - Command-and-Control Communication: Monitoring for network sessions where internal systems communicate with known APT35 Pupy infrastructure. Pupy is a remote administration tool that enables attackers to remotely control compromised hosts, execute commands, and exfiltrate sensitive data. Even when malware is heavily obfuscated, the infrastructure used for command-and-control tends to remain active long enough to detect network communication patterns. - Failed Device Registration Attempts: Tracking Microsoft 365 directory audit events where device registration attempts fail. When attackers test stolen credentials or probe tenant policies, failed registration attempts still generate audit logs. Repeated failures from the same IP address or targeting multiple users within a single tenant indicate reconnaissance activity before a more targeted intrusion. - Successful Unauthorized Device Registration: Identifying device registrations originating from unfamiliar geographic locations or occurring shortly after suspicious sign-in activity. Accounts that have never previously registered devices but suddenly do so, or accounts registering multiple devices within a short timeframe, warrant immediate investigation. Each hunt provides a ready-to-run query that security teams can execute immediately within the Vectra AI Platform. The queries examine specific data points including source and destination IP addresses, protocol types, connection counts, user principal names, originating IP addresses, and failure reasons. How to Hunt for Iranian APT Activity in Your Environment - Review Sign-In Logs First: Cross-reference suspicious device registration activity with Microsoft 365 sign-in logs and risky sign-in alerts. Look for authentication events occurring shortly before the device registration to establish a timeline of compromise. - Validate Against Threat Intelligence: Confirm whether suspicious IP addresses are associated with virtual private networks (VPNs), anonymization services, or known attacker infrastructure. Check internal allow-lists to eliminate legitimate business activity before escalating. - Investigate Related Identity Manipulation: Look for other identity manipulation events such as new authentication methods, password resets, or token creation. Attackers often chain multiple identity-based attacks together to establish redundant access paths. - Monitor for Beaconing Behavior: Pay particular attention to internal hosts repeatedly communicating with the same suspicious external IP address. Connections occurring over unexpected protocols for the system or persistent recurring connections may indicate command-and-control beaconing behavior. - Isolate and Remediate Immediately: If confirmed malicious activity is detected, block the infrastructure, revoke sessions, reset credentials, and remove unauthorized devices from the tenant. Isolate the affected endpoint for forensic investigation and remediation. Analysts should also pivot into DNS, HTTP, SSL, and endpoint telemetry to identify related activity beyond the initial detection. Investigating processes on the host generating the network traffic using endpoint detection and response (EDR) tools or Sysmon can reveal the full scope of compromise. What Makes These Attacks So Difficult to Detect? Traditional security tools focus on malware signatures and known attack patterns. Iranian APT groups operate differently. They rarely rely on a single entry point. A typical intrusion chain begins with credential phishing or password spraying, followed by quiet persistence in cloud identity systems and outbound communication to attacker infrastructure. Network traffic and Software-as-a-Service (SaaS) identity logs often hold the earliest evidence, but most organizations don't correlate these data sources in real time. The challenge is scale and patience. These attackers are willing to wait weeks or months before exfiltrating data, conducting espionage, or launching secondary attacks. They prioritize stealth over speed, making them fundamentally different from ransomware operators or financially motivated cybercriminals. This means traditional alert-based security approaches often miss the early warning signs. The broader cybersecurity industry is also grappling with how AI itself is being weaponized. Malwarebytes research found that one in five mobile users have been the target of a deepfake scam, and nearly as many have encountered virtual kidnapping scams that now often use AI voice cloning technology. Cybercriminals are using AI to take information already leaked from past data breaches, name, email, address and more, to craft individualized emails or text messages at scale. However, the Iranian APT threat represents a different category of risk. These are state-sponsored actors with specific intelligence objectives, not opportunistic scammers. The detection methods published by Vectra AI provide a concrete way for security teams to shift from reactive incident response to proactive threat hunting. Organizations that implement these six queries can identify Iranian APT activity within minutes rather than waiting for a data breach notification or law enforcement alert.
