SOC Incident Toolkit
Back to Campaigns
Operation Epic Fury : Iran vs. Israel & US Cyber War

Operation Epic Fury : Iran vs. Israel & US Cyber War

Iran conflictUS–Israel ConflictCyber Warfare

On February 28, 2026, the United States and Israel launched Operation Epic Fury a coordinated military and cyber campaign targeting Iran's military command, missile infrastructure, and senior IRGC leadership. The operation triggered an unprecedented, multi-vector cyber conflict spanning 22+ countries, involving Iranian state-sponsored APT groups, pro-Iranian hacktivist coalitions, and Russian-aligned threat actors.

Indicators of Compromise

Domains (623)

alwtania2.comalwatanniya.comdallmonfish.comtgsprem.online6b4s.popmonster.rudelmoon5.comproxy5.signalplus.orgtameeeny.comzain-kw.protamcar.proupdate.usproxy1.signalplus.orgsvans.onlineel-watnneya.comvib2.mytexno.comuptime-timezone.dns-dynamic.neviliam.ude-final.onlinewwindows.datawww.atomicmatryoshka.comproxy6.signalplus.org+603 more

Hashes (2678)

158f85554fe9f198070cee766c610aa0e5efca663816c7f9e7b24692e8d90be710223fe7865a861242a50f2d431ec44236f320d94f3cd9296f6ff3fcfa1124570426f65ea5bcff9e0dc48e236bbec293380ccc43c53470eb1bc24d7e2a9da1d96f6beea00781390821fe76ab50f93aa41bec64fb9082f142c48dde73885e7ca75bad1121fb77e7f23fbf3ce1a9b452421970810bd6b6b37afe5520783f715549cc3c4df9deaf89bfc79d85d0b9175cb86ce032543fe6b0d578e4975dc56e62226f4c56850efb452b9d6c79c0b395cceb83662aa3f7ed01236144:/f5ry+5qfrtatbpsqp50rr6shbtciroh1l46kil:/9bq1atlfpymszboua31166a45d5fda928a1f5d92b60a317282528a98504df60dd570fa7d6ad38f5316646a125505b1bbf7f2c484a879660b2767b21ae591b79219b19cd24f85efbf1ecc802360bdd2ab2a153df1d841552a6889acf01f974d7634103536e524a41a79046785ca7ae3d6+2658 more

IPv4 (219)

5.106.153.24595.179.207.105182.42.110.255194.61.120.185183.134.59.131146.19.254.23891.92.243.10289.116.111.143172.121.129.9045.142.212.201180.153.236.35180.153.236.48128.199.237.132109.125.132.66185.177.72.1137.255.251.1762.106.66.11231.57.35.223194.11.246.101180.153.236.12+199 more

APT Groups

Z-Pentest

IR

APT-IRAN

IR

Team Fearless

IR

Morning Star

RU

Islamic Hacker Army

IR

DarkStorm Team

null

NoName057

RU

APT42

IR

Fox Kitten

IR

Professor6T9

null

Cyber Av3ngers

IR

PalachPro

RU

Tortoiseshell

IR

313 Team

IR

CHRYSENE

IR

HackHax

RU

SYLHET GANG-SG

BD

APT39

IR

MAGNALLIUM

IR

Nation Of Saviors (NOS)

BD

AnonymousBsns

France

MuddyWater

IR

Keymous+

DZ

Moroccan Black Cyber Army

MA

Babayo Error System

ID

RipperSec

MY

DieNet

IR

Notes

<div class="content-body"><span id="docs-internal-guid-12d5129c-7fff-076e-6f85-9e646fdc02f8"><p style="line-height:1.2;margin-top:4pt;margin-bottom:4pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><span id="docs-internal-guid-30ef0078-7fff-3613-de99-b56b56adb2f4"><span style="font-size: 16pt; color: rgb(28, 40, 51); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">Conclusion </span></span> Sixty-nine days into Operation Epic Fury, the Iran–US–Israel cyber conflict has far exceeded initial scope projections. What began as a bilateral military campaign has become a 54-country, 1,583-claim, multi-actor cyber war involving state APTs, MOIS-linked hacktivists, Russian-aligned groups, Southeast Asian coalitions, and now a counter-coalition of pro-Israeli actors across the Philippines, India, and Kurdish territories.</span></p><div><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><span id="docs-internal-guid-ab55db36-7fff-7424-5cf5-61aaf86b67c1"><p style="line-height:1.2;margin-top:4pt;margin-bottom:4pt;"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline;">Four findings define the current threat landscape for security teams:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Pre-positioned access is the primary strategic threat. MuddyWater's March 6 backdoor activation proves the model: compromise during peacetime, activate during crisis. This is not a vulnerability to patch — it is a posture to continuously hunt against. Every organization connected to any supply chain touching the conflict zone must treat its environment as potentially already hosting dormant access.</span></p></li><li style="list-style-type: disc; font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">ICS/OT is no longer a future risk — it is a present one. Water treatment systems in the United States and South Korea, grain silos in Israel, and air-raid siren systems have all been the subject of technically credible access claims with video proof in this conflict. The ICS threat model must be updated immediately: the question is not 'could an adversary access this?' but 'what is our response when they demonstrate it tomorrow?'</span></p></li><li style="list-style-type: disc; font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">The IRGC's April 1 tech company designation is a strategic escalation signal. Formally naming Apple, Microsoft, Google, Meta, Nvidia, Boeing, and 12 other major US companies as military targets is unprecedented. The downstream risk extends to every organization in the supply chain, customer base, or partner ecosystem of these companies.</span></p></li><li style="list-style-type: disc; font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Handala is an intelligence and destruction engine operating at nation-state tempo. In 69 days it has breached an air defense C2 designer, doxxed a former intelligence chief with 14GB of documents, wiped 22TB of data, and breached the FBI Director's personal communications. Despite an FBI domain seizure and the killing of its MOIS handler, it has accelerated rather than slowed. Organizations should monitor Handala's Telegram pre-announcements as a leading indicator of the next major operation.</span></p></li></ul><p style="line-height:1.2;margin-top:4pt;margin-bottom:4pt;"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline;"> This campaign remains active with no de-escalation in sight as of May 7, 2026. IOC blocklists should be refreshed weekly. The SOCRadar Iran-Israel Cyber Conflict Dashboard provides real-time updates. Incident response plans should be tested and ready — particularly for wiper scenarios, ICS breach, and mass MDM device wipe contingencies.</span></p><div><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline;"><br></span></div></span></span></div></span> </div>

Mitigation

<span id="docs-internal-guid-99212f77-7fff-8417-f6d2-30d33cf5af48"><span style="font-family: Arial, sans-serif; background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><font color="#1c2833"><span style="font-size: 16pt;">Mitigation Recommendations </span></font><span style="font-weight: normal;" id="docs-internal-guid-98941f52-7fff-0896-22b9-1c246162512f"><span style="background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;"><font color="#c0392b"><span style="font-size: 13pt;">Threat Hunt for Pre-Planted Backdoors — Immediate Priority </span></font><span style="font-weight: normal;" id="docs-internal-guid-1964a1cb-7fff-35d8-ba3b-378fa577860c"><p style="color: rgb(192, 57, 43); font-size: 13pt; line-height: 1.2; margin-top: 4pt; margin-bottom: 4pt;"><span style="font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Given MuddyWater's confirmed pre-planted backdoor strategy, every organization with exposure to Middle Eastern operations, US government supply chains, or defense-adjacent work should treat their environment as potentially already compromised.</span></p><ul style="color: rgb(192, 57, 43); font-size: 13pt; margin-top: 0px; margin-bottom: 0px;"><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Enable PowerShell ScriptBlock logging (Event ID 4104) immediately if not active — MuddyWater loaders will be visible in this log</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Hunt registry run keys and scheduled tasks created in last 90–180 days masquerading as system services</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Monitor all outbound server-process connections to OneDrive, Dropbox, Google Drive — flag as anomalous</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Deploy Sigma rule 7.1 in SIEM at HIGH priority; any hit requires immediate escalation</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Run YARA rule 6.2 against all Windows servers in production environments</span></p></li></ul><div style=""><font color="#000000"><span style="font-size: 13.3333px;"> </span></font><span id="docs-internal-guid-8aaa0277-7fff-616b-7953-3ee0376372d1"><span style="background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;"><font color="#c0392b"><span style="font-size: 13pt;">ICS/OT Emergency Actions </span></font><span style="font-weight: normal;" id="docs-internal-guid-e3baaf67-7fff-91fe-1582-0578cc534ad9"><p style="color: rgb(192, 57, 43); font-size: 13pt; line-height: 1.2; margin-top: 4pt; margin-bottom: 4pt;"><span style="font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Given the escalating credibility of ICS access claims — water treatment (US and South Korea), silo control (Israel), air-raid sirens (Israel) — treat OT exposure as an active, not theoretical, threat.</span></p><ul style="color: rgb(192, 57, 43); font-size: 13pt; margin-top: 0px; margin-bottom: 0px;"><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Immediately verify no ICS/SCADA HMI panels are reachable from public internet — use Shodan/Censys to check your own ASN</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Block all inbound traffic on Modbus (502), S7comm (102), DNP3 (20000), and EtherNet/IP (44818) from non-authorized sources at perimeter firewall</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Deploy Sigma rule 7.5 in your OT network monitoring infrastructure</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Implement one-way data diodes for all OT-to-IT data flows; remove bidirectional links where possible</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Review and revoke all remote access paths to engineering workstations and HMI panels; require VPN + MFA for any authorized remote OT access </span></p></li></ul><div style=""><span id="docs-internal-guid-e1c08b13-7fff-2912-a0dd-85333cf81b5e"><span style="background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;"><font color="#c0392b"><span style="font-size: 13pt;">Microsoft Intune &amp; MDM Security (Anti-Wiper) </span></font><span style="font-weight: normal;" id="docs-internal-guid-963292a8-7fff-49c9-677a-b25496092bdc"><p style="color: rgb(192, 57, 43); font-size: 13pt; line-height: 1.2; margin-top: 4pt; margin-bottom: 4pt;"><span style="font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Handala's Stryker attack abused Microsoft Intune to wipe 200,000+ devices. This attack vector requires specific mitigations distinct from traditional endpoint security.</span></p><ul style="color: rgb(192, 57, 43); font-size: 13pt; margin-top: 0px; margin-bottom: 0px;"><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Enforce Conditional Access policies restricting Intune admin operations to named IP ranges and MFA-verified sessions</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Implement approval workflows for bulk device wipe operations — single-admin authorization is insufficient</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Deploy Sigma rule 7.2: alert on any Intune wipe operation count &gt;50 within 1 hour</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Audit all Intune admin accounts immediately; remove unused or excessive permissions</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Enable Intune audit logging and route to SIEM</span></p></li></ul><div style=""><font color="#000000"><span style="font-size: 13.3333px;"><br></span></font></div><div style=""><span id="docs-internal-guid-92f6b711-7fff-6ea1-32af-2dad9d4a36c2"><span style="background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;"><font color="#c0392b"><span style="font-size: 13pt;">DDoS Resilience — Scaled to 1,583+ Claims </span></font><span style="font-weight: normal;" id="docs-internal-guid-7c9097ee-7fff-8fa2-7c68-0605467aa8e8"><ul style="color: rgb(192, 57, 43); font-size: 13pt; margin-top: 0px; margin-bottom: 0px;"><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Engage CDN/DDoS scrubbing provider (Cloudflare, Akamai, AWS Shield Advanced) for all public-facing infrastructure</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Configure rate limiting at application layer: block IPs generating &gt;100 requests/min on government and utility portals</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Enable geo-based rate limiting for high-risk origin countries (Russia, Iran, Indonesia, Bangladesh, Malaysia)</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Ensure BGP failover routes are configured and tested — telecom and transit infrastructure has been targeted</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">For organizations named in IRGC's April 1 designation: escalate DDoS preparedness to maximum posture immediately</span></p></li></ul><div style=""><font color="#000000"><span style="font-size: 13.3333px;"> </span></font><span id="docs-internal-guid-5cb4864c-7fff-dabf-c17e-98f5c5a1e2e9"><span style="background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;"><font color="#c0392b"><span style="font-size: 13pt;">Credential &amp; Access Hardening </span></font><span style="font-weight: normal;" id="docs-internal-guid-bebfefd2-7fff-f7e5-e02d-73c310e960d0"><ul style="color: rgb(192, 57, 43); font-size: 13pt; margin-top: 0px; margin-bottom: 0px;"><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Force immediate password resets for all privileged accounts — assume credential exposure from 8.3M Israeli voter records, 300K Ministry of Education records, lawyers databases, and ongoing leaks</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Enforce MFA on all VPN, OWA, SharePoint, cloud console, and Intune admin access — mandatory, no exceptions</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Disable legacy authentication protocols; implement Conditional Access blocking basic auth</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Audit all OAuth grants and service account permissions in Azure AD / Google Workspace; revoke unauthorized third-party app access</span></p></li></ul><div style=""><br></div></span><span style="font-weight:normal;" id="docs-internal-guid-dda0e1be-7fff-2565-9bda-e346502d4ba4"><span style="font-size: 13pt; color: rgb(192, 57, 43); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">Threat Intelligence Monitoring <span style="font-weight:normal;" id="docs-internal-guid-e6b0b215-7fff-57c4-dbca-a0d71c6b995d"><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Block all IOCs from Section 5 at firewall, DNS, proxy, and EDR within 24 hours — IOC list is live and growing</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Monitor SOCRadar Iran-Israel Cyber Conflict Dashboard daily: https://socradar.io/iran-israel-cyber-conflict-dashboard/</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Track Handala Telegram channels for pre-announcement posts — Handala typically signals major operations 12–24 hours in advance</span></p></li><li style="list-style-type: disc; font-size: 10pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:3pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Subscribe to IRGC-linked threat actor feeds; the April 1 tech company designation signals a shift to higher-value targets</span></p></li></ul></span></span></span><font color="#c0392b"><span style="font-size: 13pt;"></span></font></span></span><font color="#000000"><span style="font-size: 13.3333px;"></span></font></div></span></span></span><font color="#000000"><span style="font-size: 13.3333px;"></span></font></div></span></span></span></div></span></span></span><font color="#000000"><span style="font-size: 13.3333px;"></span></font></div></span></span></span></span></span><div class="content-container"><ul> </ul> </div>