Today there has been a new interesting development. A number of Iranians reported they are being informed by Google that "Government-backed attackers may be trying to steal your password". Below screenshot is sent to me by a friend reporting the same from Canada:
This is a familiar alert for us, but what is interesting is the possible attack vector: users inside Iran aside, the users who got this alert outside the country all had Iranian mobile numbers assigned in their Google accounts as backup / recovery number.
This means as suspected earlier, SMS interception in Iranian mobile operators is being used for resetting the password of Iranian users.