🧨 When a country turns the internet off, the threat model doesn’t go away — it goes offline-first.
On Jan 8, multiple monitors showed Iran’s traffic sliding to near-zero, with only brief/limited restore windows afterward. That’s the perfect cover for the oldest play in the book: fast phishing → fast takeover → faster post-auth collection.
If you defend high-risk users (execs, journalists, admins, “VIPs”), hunt the ugly combo:
✅ first-seen sign-in (new device/ASN/geo)
➡️ immediate mailbox / SharePoint / OneDrive touches
➡️ persistence (rules, app consents, new identities, “why is forwarding on?”)
Nobody needs a zero-day when your users are confused, connectivity is choppy, and your detections are… “we’ll review that tomorrow.” 🙃
Real question: are you correlating first-seen sign-in → post-auth actions in M365/Entra… or still treating those as separate worlds?
Read it (and steal the detections): https://blog.alphahunt.io/irans-internet-went-to-zero-on-jan-8-will-account-takeovers-spike-in-the-next-2-3-weeks Subscribe if this made you wince: same link. 😬
#CyberSecurity #Iran #InternetShutdown #IdentitySecurity #AlphaHunt