Geopolitical events often influence the global cyber threat landscape. In recent weeks, security researchers and government agencies have been closely monitoring emerging cyber activity originating from Iran following renewed regional conflict. While overall activity levels remain moderate, historical patterns suggest that threat activity can escalate quickly as conditions evolve.
As part of our ongoing commitment to transparency and proactive defense, this bulletin outlines how Guardian 365 is responding—and what our customers should know.
How Guardian 365 Identifies and Responds to Emerging Threats
The Guardian 365 IOC Feed combines real‑time telemetry from our Security Operations Center (SOC) with verified intelligence from government advisories, trusted cybersecurity vendors, and established threat intelligence networks. This approach allows us to validate and operationalize indicators of compromise (IOCs) associated with both emerging campaigns and historically observed threat activity.
Rather than reacting after incidents occur, Guardian 365 focuses on early detection and preventative control, particularly when threat actors are known to reuse infrastructure across campaigns.
Customers opted into the Guardian 365 IOC Feed receive these protections automatically, with enforcement orchestrated through Inforcer.
Threat Overview: Iranian-Aligned Cyber Activity
Iranian cyber operators have a long history of increasing activity during periods of geopolitical tension. These campaigns often involve a mix of nation‑state actors, affiliated hacktivist groups, and aligned threat collectives.
Current activity remains relatively limited, which analysts attribute in part to disruptions in internet access and infrastructure within the region. However, previous campaigns demonstrate that activity can escalate rapidly as attackers establish new infrastructure or re‑engage previously used assets.
Commonly Observed Attack Patterns
Based on both current intelligence and historical campaigns, Iranian‑aligned threat activity frequently includes:
- Password spraying and credential harvesting against cloud and identity platforms
- Phishing and social engineering designed to gain initial access
- Malicious IP infrastructure used for authentication attempts
- Command‑and‑control communications associated with malware or compromised accounts
Because threat actors often reuse IP addresses, domains, and hosting providers across multiple operations, blocking known IOCs—even those observed in prior campaigns—can provide some of the earliest possible detection of malicious activity.
Environments Potentially Impacted
The IOCs in this bulletin are relevant to a broad range of enterprise environments, including:
- Microsoft 365
- Microsoft Entra ID
- Active Directory
- Endpoints across the environment
This reflects the reality that modern attacks rarely target a single system in isolation. Identity, email, and endpoint controls all play a role in early‑stage detection.
IOC Inventory Summary
This bulletin includes a curated set of indicators linked to confirmed Iranian threat actors, affiliated hacktivist groups, and recurring malicious infrastructure patterns:
- 30 MD5 file hashes
- 5 IPv4 addresses
- 11 domain names
A complete inventory of these indicators can be provided to Guardian customers. Connect with your CSAM for more information.
How Guardian 365 Is Deploying Protections
For customers enrolled in the Guardian 365 IOC Feed, blocking rules associated with these indicators are being deployed automatically using Guardian 365’s configuration management and SOAR platforms.
Deployment window:
- Begins: March 16, 2026
- Concludes: April 1, 2026
Deployments occur on a rolling basis, including for newly opted‑in customers during this period.
After April 1, customers who would like these IOCs deployed in their environment can submit a support request to support@forsyteit.com.
What Customers Should Do Next
No immediate action is required for customers already opted into the Guardian 365 IOC Feed. Protections are being applied proactively and monitored by our SOC.
If you have questions about:
- Your current IOC Feed enrollment
- How these indicators apply to your environment
- Opting into the Guardian 365 IOC Feed
Please contact your Customer Success Account Manager (CSAM) for guidance.
Staying Ahead of a Changing Threat Landscape
Threat activity tied to geopolitical events is rarely static. Campaigns evolve, infrastructure shifts, and targeting strategies adapt quickly. Guardian 365’s approach—combining verified intelligence, historical context, and automated enforcement—helps reduce the window between emerging risk and effective defense.
We’ll continue to monitor developments closely and provide updates as warranted.
