The February 28 strikes changed the calculus. Iranian state-sponsored hackers will escalate — the only question is when. We've deployed 11 detection rules tuned specifically for how these groups attack cloud identity infrastructure.
The Current Threat Landscape
On February 28, 2026, the United States and Israel launched coordinated strikes against Iran under Operation Epic Fury and Operation Roaring Lion. Within hours, over 150 hacktivist incidents were claimed in open channels, and Iran's "Electronic Operations Room" was established the same day to coordinate cyber operations across multiple state-aligned groups.
While Iran's domestic internet connectivity dropped to 1-4% following the strikes, threat intelligence firms warn this is temporary. Tehran-linked hackers are stepping up digital reconnaissance and preparing for potentially disruptive cyber activity. Unit 42 assesses that while connectivity loss has degraded near-term coordination, Iranian threat actors continue to operate through proxies and VPNs outside the country.
"We expect Iran to target the U.S., Israel, and Gulf Cooperation Council countries with disruptive cyberattacks, focusing on targets of opportunity and critical infrastructure." — John Hultquist, Google Threat Intelligence Group
- 150+ hacktivist incidents claimed since February 28
- 11 new detection rules deployed by Auth Sentry for Iranian APT tradecraft
- 4 major Iranian APT groups tracked in this bulletin
Iranian APT groups have a well-documented preference for cloud identity attacks. Unlike endpoint compromises that require malware, identity-based intrusions use valid credentials and legitimate tools — making them harder to detect and attribute. CISA specifically warns about credential access and persistence techniques targeting Okta, Microsoft 365, and Google Workspace.
The Actors We're Tracking
Four major Iranian APT groups have demonstrated consistent capabilities against cloud identity infrastructure. These groups operate under different Iranian intelligence agencies but share similar tradecraft when targeting Western organizations. A September 2025 leak of APT35/Charming Kitten internal documents provided detailed insight into their operational methods, target selection, and exploitation techniques — intelligence we've incorporated into our detection rules.
| Group | Aliases | Affiliation | Primary Targets |
|---|---|---|---|
| APT33 | Elfin, Refined Kitten | IRGC | Energy, aerospace, defense |
| APT34 | OilRig, Helix Kitten | MOIS | Government, finance, telecoms |
| APT35 | Charming Kitten, Mint Sandstorm | IRGC | Journalists, academics, dissidents, government officials |
| MuddyWater | MERCURY, Mango Sandstorm | MOIS | Government, defense, telecoms |
How Iranian APT Attacks Unfold
Iranian APT cloud identity intrusions follow a consistent, phased pattern with characteristically patient dwell times between phases — a key differentiator from financially-motivated actors like Scattered Spider, which operate in minutes to hours. Understanding this kill chain is essential for detection.
The Tradecraft We Detect
Distributed Password Spraying
All tracked Iranian groups use a distributed low-and-slow spray methodology. Rather than high-volume single-source spraying that triggers lockouts, they operate via rotating VPS pools, residential proxies, and Tor exit nodes. Spray passwords follow observable patterns: seasonal formats (Spring2026!), organization-name variants ([Company]2025!), and known common passwords.
Target lists are pre-enumerated from LinkedIn, company directories, and prior intelligence — the spray is directed, not random. This is reconnaissance-informed credential testing.
MFA Persistence Enrollment
APT35 and APT33 specifically enroll new authenticator applications or hardware tokens within hours of initial access. This creates an authentication pathway that survives password resets — a common defensive response that inadvertently locks the legitimate user out while the attacker retains access via their registered MFA device. (For more on how attackers abuse MFA, see our guide on MFA fatigue attacks.)
OAuth Application Persistence
APT33 and APT34 immediately register OAuth application grants on compromised accounts. This provides a persistent access token that survives credential rotation and operates outside session-based controls, enabling long-term silent access to email, files, and calendar data.
Our Detection Approach
Auth Sentry's Iranian APT detection suite operates on two complementary layers: real-time pattern detection for known attack techniques, and behavioral analytics that can identify campaigns before specific attack patterns emerge. (For a deeper look at our detection methodology, see how Auth Sentry works.)
Real-Time Pattern Detection (IR-001 to IR-007)
Seven detection rules trigger immediately when we observe the specific tactics Iranian actors use — password sprays, persistence mechanisms, privilege escalation. When a pattern matches, your security team gets a high-confidence investigation with full context, not a low-signal alert to triage.
Predictive Behavioral Analytics (BA-IR-001 to BA-IR-004)
A second layer of detections uses graph-based behavioral analytics to identify campaigns before any specific attack technique fires. Our data science approach analyzes identity behavior patterns across three dimensions:
- Community Analysis — Identifies spray campaigns by detecting authentication failures distributed across multiple organizational communities simultaneously — the signature of a directory-wide attack.
- High-Value Target Profiling — Scores each identity by access breadth and organizational influence. High-value identities are disproportionately targeted by APT35/Charming Kitten for their intelligence value.
- Behavioral Drift Detection — Measures how each identity's behavior changes against their established baseline. Iranian APT produces a characteristic moderate, sustained drift pattern — different from the rapid spikes seen in ransomware attacks.
Our behavioral analytics can fire during Phase 0 — detecting the credential testing and reconnaissance phase of a campaign before traditional pattern-based signatures trigger. This gives security teams early warning while the attack is still developing, not after persistence is already established.
Detection Rules Deployed
Pattern-Based Rules
| Rule | Name | Kill Chain Phase | Severity |
|---|---|---|---|
| IR-001 | Low-and-Slow Password Spray | Initial Access | HIGH |
| IR-002 | Spray-to-Success (Confirmed Compromise) | Credential Access | CRITICAL |
| IR-003 | MFA Enrollment After Spray | Persistence | HIGH |
| IR-004 | OAuth App Persistence | Persistence | HIGH |
| IR-005 | Privilege Escalation After Compromise | Privilege Escalation | CRITICAL |
| IR-006 | Multi-Source Targeted Attack | Initial Access | HIGH |
| IR-007 | Multi-Stage Campaign Correlation | Full Campaign | CRITICAL |
Behavioral Analytics Rules
| Rule | Name | Detection Method |
|---|---|---|
| BA-IR-001 | Community-Diversity Spray Signature | Detects auth failures spanning multiple organizational communities from a single source |
| BA-IR-002 | Patient Behavioral Drift | Identifies the moderate, sustained behavioral drift characteristic of Iranian APT credential testing |
| BA-IR-003 | High-Value Targeted Identity | Flags when high-influence identities show drift or multi-source auth failures |
| BA-IR-004 | Predictive Kill Chain Estimator | Estimates current attack phase from behavioral signals — fires at Phase 0 before pattern rules trigger |
Rule Detail: How Our Detection Logic Works
To illustrate our approach, here's the specific logic behind two representative rules — one pattern-based and one behavioral:
Trigger: Single source IP generates authentication failures against 5+ distinct user accounts within a 4-hour window.
Why this works: Iranian APT spray campaigns deliberately stay below typical lockout thresholds (usually 3-5 failures per account). By correlating failures across accounts from the same source, we detect the campaign pattern that per-account monitoring misses.
Tuning note: Threshold can be adjusted based on organization size. Larger directories may warrant higher thresholds to reduce noise from legitimate service accounts or misconfigured applications.
Approach: We continuously analyze how identities cluster based on shared access patterns, applications, and organizational relationships. When authentication failures from a single source span 3+ distinct identity communities simultaneously, it indicates a directory-wide spray — not targeted account guessing.
Why this matters: Traditional detection looks at individual accounts or simple IP reputation. Our approach sees the shape of an attack across your identity graph. A spray hitting Finance, Engineering, and Executive communities in the same hour has a distinct signature that's invisible to event-by-event analysis.
Early warning advantage: This rule often fires before IR-001, because it detects the structural pattern of a spray campaign even when individual account failure counts remain low.
A Note on Detection Tuning
No detection rule is perfect out of the box. IR-003 (MFA Enrollment After Spray) may trigger when a user legitimately enrolls a new device after experiencing unrelated auth failures — for example, after a password reset due to a forgotten credential. Auth Sentry correlates MFA enrollment with preceding spray activity from known-suspicious infrastructure to reduce these false positives, but some tuning is expected based on your organization's enrollment patterns.
All detection rules include suppression controls, threshold adjustments, and the ability to allowlist known service accounts or IP ranges. Our approach: high-confidence investigations by default, with knobs available when your environment requires them.
Why Iranian APT Evades Traditional Defenses
Iranian APT has a distinct operational fingerprint that separates it from other threat actors — and explains why traditional security tools often miss them:
- Patient spray pace — Hours per cycle, not minutes. Rate-based detections calibrated for fast-moving actors like Scattered Spider will miss Iranian APT without time-window tuning.
- Distributed infrastructure — VPS pools and residential proxies mean single-IP lockout rules are insufficient. They attack from many sources simultaneously.
- Persistence before collection — MFA and OAuth persistence are established before any data collection occurs. By the time you see exfiltration, they've already entrenched.
- Curated targeting — APT35 in particular maintains curated target lists. They're not spraying randomly — they know who they want.
MITRE ATT&CK Coverage
These detection rules provide coverage across the following MITRE ATT&CK techniques:
- T1110.003 — Password Spraying
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1098.003 — Additional Cloud Roles
- T1098.005 — Device Registration
- T1087 — Account Discovery
- T1530 — Data from Cloud Storage
Protect Your Organization
Auth Sentry connects to your identity providers — Okta, Microsoft Entra ID, Google Workspace — and applies graph-based behavioral analytics to detect identity-based attacks that traditional tools miss.
These Iranian APT detection rules are now live for all Auth Sentry customers. If you're not yet protected, now is the time to act. Have questions? Check our FAQ or contact us directly.
Detect Attacks Before They Escalate
Connect your identity sources and see what Auth Sentry finds in your environment.
Start Free with Monitor