Iran Conflict and Cyber Risk: What North American Organizations Need to Know ‍

On February 28, 2026, US and Israeli forces conducted joint strikes against Iranian targets. Active conflict is underway. For cybersecurity practitioners and the MSPs who protect North American businesses, this is not a situation to monitor—it is a situation to act on.

Cyber and information operations are already in motion. Open-source reporting confirmed a near-total internet connectivity collapse inside Iran within hours of the strikes, with national connectivity dropping to roughly 4% of normal levels. Concurrent disruptions affected Iranian state media, government digital services, and related infrastructure. Whether those effects were externally driven or the result of internal shutdown measures, the pattern is clear: cyber operations are running alongside military ones.

Here is the bottom line for North American organizations: you do not need to be a named geopolitical target to be at risk.

The Practical Threat for SMBs and Mid-Market Organizations

Iran-linked threat actors do not need to hand-craft every intrusion. Their playbook scales through automation—scanning exposed systems, spraying credentials, and running high-volume phishing campaigns that shift themes to match the news cycle. During conflict windows, that volume increases. Organizations sitting on weak identity controls, exposed remote access, or unpatched edge devices absorb more of that surge.

The other dynamic worth understanding is access brokerage. Several Iran-linked clusters specialize in obtaining footholds—through credential theft, edge device exploitation, or remote access abuse—and transferring those footholds to enable downstream ransomware and extortion outcomes. The actor who gets in first may not be the one who causes the damage. That means even organizations that do not appear to be high-value targets can end up in the middle of a ransomware incident because they were reachable at the wrong moment.

Iran's cyber capability is mature, operationally diverse, and has a documented history of increasing tempo during conflict periods. The threat spans state-aligned espionage teams, contractor networks operating with deniability, and proxy actors focused on disruption and psychological impact. These streams converge on the same repeatable entry points: credentials, exposed gateways, and over-trusted remote access tooling.

Who Faces the Most Pressure

Not every organization carries equal risk in this environment. Based on current intelligence, the verticals facing the highest near-term pressure include:

• State and local government and municipalities (e.g., water, utilities, emergency services): where downtime has public safety consequences and security resources are often constrained ‍
• Healthcare: where operational disruption creates leverage and sensitive data enables extortion ‍
• Critical infrastructure and OT-adjacent operators: where exposed management interfaces can create direct operational impact ‍
• Defense, aerospace, and manufacturing subcontractors: attractive as pivot points into larger supply chains ‍
• MSPs and IT service providers: where a single compromised credential or RMM session can cascade across dozens of downstream clients ‍
• Financial services, higher education, and NGOs: each for different reasons tied to data value, public visibility, and policy-adjacent work

If your organization or your clients fall into any of these categories, the risk calculus has changed this week.

The Four Things That Matter Most Right Now

The defenses that reduce Iran-linked campaign effectiveness are not new or exotic. They are consistent across every wave of activity we have tracked over the past decade. In the next 24 to 72 hours, these are the highest-leverage actions:

1. Harden identity and enforce MFA everywhere. Prioritize administrators, executives, VPN, and email. Prefer phishing-resistant methods where feasible. Disable legacy authentication. Monitor for MFA push bombing, suspicious OAuth grants, new mailbox rules, and auto-forwarding.

2. Reduce your public attack surface. Remove RDP and admin interfaces from the internet. Require VPN plus MFA for remote access. Patch edge devices aggressively—and if a device was recently exposed and vulnerable, investigate for persistence even after patching.

3. Lock down RMM and remote access tooling. Audit what is installed, enforce MFA, restrict admin access, and require change control. Alert on new installs, unattended access creation, and MSI executions from unfamiliar URLs. This is especially critical in MSP environments.

4. Validate your recovery readiness. Confirm immutable or offline backups are current and test restoration—including Active Directory and critical SaaS recovery assumptions. Validate incident response runbooks for account lockout, session revocation, endpoint isolation, and remote access restriction.

What We Published for Our Partners

We have released a full MXDR Intelligence Update covering the complete Iran-linked threat actor landscape, vertical-specific risk breakdowns with countermeasures, a 24–72 hour defense posture prioritization checklist, current IOC and infrastructure intelligence, and a full MITRE ATT&CK mapping of the most consistently observed techniques.

Download a redacted version of our report below:

‍

How Todyl Can Help

The Todyl Platform directly addresses the most common paths used in Iran linked campaigns, especially credential led intrusion, living off the land execution, and remote access abuse. The most important outcomes during active conflict periods are faster containment, fewer blind spots across identity, endpoint, and network signals, and the ability to respond consistently across a distributed SMB and mid-market footprint.

MXDR and Detection Engineering continue to proactively threat hunt across customer environments, validate detections against current reporting, and deploy additional prevention and detection updates as activity evolves. As new infrastructure, tools, and delivery patterns emerge, detections are tuned to reduce noise while preserving high fidelity signals tied to identity compromise, PowerShell based execution, remote tooling abuse, and ransomware enablement.

Platform capabilities that map directly to the observed tradecraft:

• MXDR coverage across identity, cloud, endpoint, and network signals with guided response workflows and automated response actions when suspicious activity is detected.
• Endpoint protection, including NGAV and EDR, to prevent and detect PowerShell heavy living off the land behavior, credential access attempts, and defense evasion.
• SASE capabilities to reduce exposed attack surface, enforce secure access paths, and improve visibility into outbound traffic and anomalous connections.
• Unified telemetry and case management to correlate phishing (through integration), valid account abuse, remote access events, and lateral movement into a single investigation path.
• Janus AI integrated with Todyl Threat Intelligence to provide contextual access to current threat actor reporting, infrastructure intelligence, relevant CVEs, and campaign indicators directly within investigations. This reduces time spent pivoting across disparate tools and helps teams move from signal to validated incident faster, especially during surge periods when volume and noise increase.

If your organization is currently experiencing increased phishing volume, suspicious MFA prompts, unexplained remote access activity, or signs of credential misuse, engage your security team immediately and escalate for rapid triage. Early containment steps, including account lockout, session revocation, endpoint isolation, and remote access restriction, remain the fastest way to prevent follow-on ransomware or extortion outcomes.