Everyone loves a “trusted app” until it turns into a long-lived permission slip with better branding.

The platform can stay technically unbroken and you still get cleaned out. That gap is the problem.

Everyone saw the PLC headline and immediately built their whole Iran take around exposed controllers. Cool. The nastier question is what happens when the next move comes through identity, admin planes, or some target class nobody staffed for.

Iran cyber risk isn’t just “watch for wipers.” It’s the same ugly identity-first playbook: password sprays, MFA abuse, cloud access… then maybe admin-plane sabotage. Recent reporting says activity is already reaching U.S. targets. Cute. 🚨🔐🧨

Ransom is a tactic. Liquidity is the strategy.

Our new forecast asks: will ShinyHunters make more in 2H 2026 by selling SaaS access/data than by getting paid? Signals say yes. 🕵️‍♂️💸☁️

Iran’s internet goes dark → attackers don’t stop. They speed-run creds and hit post-auth collection the moment connectivity blips back. ⏱️🔑👀

Phishing got a low-code upgrade. 🤖🔑
Copilot Studio links can look “safe” because they’re hosted where users expect… then the OAuth consent click does the rest. 🧯
We’re forecasting the first publicly confirmed Copilot Studio → OAuth → M365 data breach by 12/31/26 (56%).

VoidProxy: AitM Phishing-as-a-Service Quietly Bypasses MFA at Scale