In summer and fall of 2017, we observed Pawn Storm targeting several organizations with credential phishing and spear phishing attacks. We can often closely relate current and old Pawn Storm campaigns using data that spans more than four years, possibly because the actors in the group follow a script when setting up an attack. The screenshots below show two typical credential phishing emails that targeted specific organizations in October and November 2017. A sample of a credential phishing email Pawn Storm sent in October and November 2017 Second type of credential phishing email that was sent by Pawn Storm in November 2017. In the week of the 2017 presidential elections in Iran, Pawn Storm set up a phishing site targeting chmail.ir webmail users.