Initial access techniques used by Iran-based threat actors

This CTU analysis summarizes the preferred initial-access techniques used by Iranian-linked threat actors since 2020—spearphishing (attachments, links, third-party services), exploitation of public-facing applications (e.g., Fortinet, Exchange, VMware/Log4Shell), password spraying and cloud account takeover, abuse of legitimate RMM tools, use of external remote services (VPN/RDP), and exploitation of default/weak credentials—mapping each to MITRE ATT&CK IDs and offering defensive recommendations such as phishing-resistant MFA, prompt patching, credential hygiene, and monitoring for anomalous authentication.