Anomali observed a suspected North Korean cyber-espionage phishing campaign after finding a fake login page for a French Ministry for Europe and Foreign Affairs portal. Infrastructure analysis showed a broader campaign targeting three Ministry of Foreign Affairs agencies, Stanford University, RUSI, Congressional Research Service, United Nations-related entities, and multiple email service providers. The campaign used credential-harvesting domains such as doc-view.work and web-line.work, including subdomains that impersonated diplomatic portals, secure email services, Gmail, Yahoo, Outlook, OneDrive, and other online services. Anomali reported infrastructure overlap with known North Korean actors, including shared domains and hosting, and highlighted a likely victim connected to sanctions and North Korea-related diplomatic work. The activity matters because it shows credential theft infrastructure aimed at organizations involved in foreign policy, research, diplomacy, and sanctions work.