APT42’s 2026 Spear-Phishing Campaigns Exploiting Microsoft Teams Zero-Day for Credential Harvesting in the Aerospace Sector

Executive Summary: In early 2026, the Iranian-linked advanced persistent threat (APT) group APT42 executed a series of highly targeted spear-phishing campaigns against aerospace and defense organizations worldwide. Leveraging a zero-day vulnerability in Microsoft Teams—designated CVE-2026-33662—APT42 delivered sophisticated social engineering lures to harvest user credentials and gain initial access to sensitive aerospace networks. The operation demonstrates a significant escalation in APT42’s tradecraft, combining technical exploitation with geopolitically motivated targeting. This report analyzes the campaign’s timeline, tactics, and implications for global cybersecurity.

Key Findings

• Zero-Day Exploitation: APT42 abused CVE-2026-33662 in Microsoft Teams, allowing malicious attachments or links to bypass content filtering and execute client-side code in victim environments.
• Precision Targeting: Campaigns focused on aerospace engineers, program managers, and executives at leading defense contractors and space agencies in the U.S., Europe, and Asia.
• Social Engineering Payloads: Customized phishing messages mimicked legitimate internal communications, including simulated meeting invites and file-sharing notifications.
• Credential Harvesting Infrastructure: Attackers deployed fake Microsoft 365 login portals and harvested credentials via phishing pages hosted on compromised legitimate domains.
• Geopolitical Motivation: Attribution to APT42 (also tracked as TA453 or Charming Kitten) aligns with Iran’s strategic interests in aerospace and satellite technology.
• Operational Timing: Campaigns peaked during major aerospace industry conferences (e.g., ILA Berlin, Paris Air Show) to increase likelihood of engagement.

Campaign Timeline and Delivery Mechanisms

APT42 initiated the campaign in January 2026, with a surge in activity observed in March 2026. The group exploited CVE-2026-33662—a client-side validation flaw in the Teams desktop application—to deliver malicious payloads disguised as legitimate meeting attachments or file shares. Unlike traditional phishing, the zero-day allowed Teams to render embedded HTML content without triggering security warnings, enabling seamless deception.

The attack chain began with a Teams message containing a spoofed sender identity (e.g., “@company.com” domain) or a compromised partner account. The message included a link or attachment labeled “Project Q4 Review – Confidential” or “Security Patch Notification – Action Required.” When the victim clicked, Teams rendered the content in an embedded browser frame, which silently loaded a credential-harvesting page hosted on a compromised but legitimate domain (e.g., a university or contractor site).

In some cases, APT42 used multi-stage lures: an initial benign Teams message followed by a follow-up email referencing the Teams conversation, increasing plausibility and response rates.

Technical Analysis of the Zero-Day Exploit

CVE-2026-33662 involves improper handling of contentUrl parameters in Teams deep links. By crafting a Teams URL with a malicious contentUrl that points to an attacker-controlled server, APT42 could bypass Microsoft’s Safe Links and Safe Attachments policies. The exploit triggered when the Teams client attempted to render the content in an iframe, executing arbitrary JavaScript in the context of the Microsoft 365 domain.

Researchers at Microsoft Threat Intelligence Center (MSTIC) confirmed that the flaw affected Teams versions prior to 1.7.00.34153. APT42 weaponized this within days of discovering it, indicating access to either leaked or independently developed exploit code.

The exploit chain included:

• Initial access via Teams message
• JavaScript execution to harvest session tokens or credentials
• Redirection to a fake O365 login page mimicking the victim’s organization
• Exfiltration of credentials via HTTPS POST to attacker-controlled infrastructure

Targeting and Sector Impact

Aerospace and defense organizations were selected based on strategic importance to Iran’s aerospace ambitions, including satellite launch capabilities, drone technology, and dual-use aviation systems. Specific targets included:

• Major U.S. defense contractors (e.g., Lockheed Martin, Boeing Defense)
• European aerospace firms (e.g., Airbus Defence & Space)
• Space agencies and research institutions
• Tier-2 suppliers and subcontractors with access to sensitive programs

The campaign coincided with heightened tensions over Iran’s satellite program and nuclear negotiations, suggesting a state-sponsored intelligence-gathering mission rather than destructive intent. However, credential access could enable future supply-chain attacks or data exfiltration.

Attribution and APT42 Tradecraft

APT42, assessed with high confidence to be operated by Iran’s Islamic Revolutionary Guard Corps (IRGC), has a history of using social engineering and credential phishing to support espionage. The group is known for:

• Long-term persistence in compromised networks
• Use of legitimate tools (e.g., Microsoft 365, Teams, VPNs)
• Leveraging compromised accounts to move laterally

This campaign reflects a maturation in tradecraft, moving beyond basic phishing to exploit a zero-day in a widely used collaboration platform—indicating access to advanced capabilities or acquisition of exploit code from third parties.

Defensive Measures and Mitigations

Organizations in the aerospace sector must adopt a zero-trust posture to counter APT42-style attacks:

Immediate Actions

• Upgrade Microsoft Teams to the latest version and enable automatic updates.
• Disable embedded browser rendering in Teams for external messages.
• Implement multi-factor authentication (MFA) for all cloud services, with phishing-resistant methods (e.g., FIDO2, hardware tokens).
• Enforce conditional access policies to block logins from anomalous locations or devices.
• Monitor for Teams messages containing suspicious URLs or attachments using AI-driven email security platforms.

Long-Term Strategies

• Conduct regular red-team exercises simulating APT42 TTPs.
• Deploy endpoint detection and response (EDR) solutions with behavioral analytics to detect anomalous Teams client behavior.
• Establish a dedicated threat intelligence fusion center to track APT42 IOCs and TTPs.
• Educate employees on recognizing hybrid phishing lures that combine Teams, email, and chat platforms.

Recommendations for Aerospace and Defense Organizations

• Adopt a "Never Trust, Always Verify" Model: Treat all Teams messages from external or unverified sources as potentially malicious.
• Implement Message-level Encryption: Use end-to-end encryption for sensitive communications to reduce reliance on platform-level security.
• Isolate Collaboration Tools: Segment Teams and other collaboration platforms from critical engineering networks.
• Conduct Threat Hunting: Proactively search for signs of credential harvesting, such as failed login attempts or unusual OAuth token usage.
• Engage with Threat Intelligence Providers: Subscribe to feeds that include real-time APT42 IOCs and behavioral patterns.

Conclusion

APT42’s 2026 spear-phishing campaigns represent a new frontier in state-sponsored cyber espionage, exploiting a zero-day in Microsoft Teams to target the aerospace sector. The operation underscores the increasing convergence of geopolitics and cyber operations, with nation-state actors leveraging collaboration tools as vectors for credential harvesting. As APT groups evolve their tactics, organizations must prioritize zero-trust architecture, continuous monitoring, and rapid patching cycles to mitigate risk.

Microsoft released a patch for CVE-2026-33662 on March 12, 2026, following coordinated disclosure by MSTIC and industry partners. While this mitigates the immediate threat, the broader lesson is clear: in the age of AI-driven