Normal view

Putting AI to work with the building trades

21 April 2026 at 10:59

We are living through a moment that will be defined not only by advanced technology and AI, but by the real-world infrastructure that makes it possible. And that infrastructure will be built the way critical infrastructure has always been built—by electricians, ironworkers, pipefitters, operating engineers, laborers, and the many other skilled professionals who turn plans into places and progress.

In a world that can feel increasingly virtual, there are millions of skilled trade professionals who remind us of a simple truth: what happens next still depends on uniquely human skills and what we can create, build, wire, weld, install, and maintain.

At Microsoft, we are honored to partner with North America’s Building Trades Unions (NABTU) to invest in the people who build with us. Today we are announcing an expanded partnership to support a strong, skilled workforce pipeline and help workers across North America build the skills needed to succeed in an AI-powered economy.

We believe that the North American skilled trades workforce is one of the most talented workforce systems. This week, thousands of these talented workers from across North America gather in Washington, DC for their annual Legislative Conference, an annual convening that reflects both the enduring strength of the trades and the country’s need for what they do.

As part of our Community-First approach to AI infrastructure we committed to investing in the places where we build, in the people who build with us, and in the long-term capacity of local economies. AI is a tool we will use, and I believe it will help in ways we plan and manage work, but it will not replace the experience, judgment, and craft that define the trades. Instead, it can amplify those human skills: helping people work more safely, learning more quickly, and delivering higher-quality outcomes on increasingly complex job sites.

Bringing AI literacy to millions of trades professionals

Our collaboration with NABTU is built on a simple but powerful idea: the people building the future should also be equipped to thrive in it.

Over the past year, we have worked together to bring AI literacy directly into the apprenticeship and training infrastructure that NABTU operates across all 50 states and Canada. More than 1,500 instructors in hands-on training centers nationwide have already participated. That early momentum confirmed that when you meet workers where they are, with content designed for how they actually work, the true benefit of AI can be felt.

Today, we are expanding that effort significantly. Beginning now, no-cost AI literacy courses tailored specifically for the skilled trades are available on LinkedIn Learning, open to instructors, apprentices, and journey-level workers across North America. One course is designed for faculty and staff in apprenticeship training environments. The other is built for apprentices and journey-level professionals who are on job sites every day. Upon completion, participants earn an industry-recognized AI literacy credential—a tangible marker of readiness that travels with them throughout their careers.

We are also extending our partnership to TradesFutures, NABTU’s affiliated nonprofit that recruits, prepares, and connects people to union construction apprenticeship programs across 34 states. Through TradesFutures, we will expand awareness of careers in data center construction alongside AI literacy and link opportunity with infrastructure being built today with the skills that will define tomorrow. The training will be available to all TradesFutures Apprenticeship Readiness Programs, which operate in community-based workforce development settings, high schools, correctional facilities, and labor organizations.

Building on a foundation of partnership with labor unions

There is a question at the center of every conversation about AI and work: who gets to participate?

For too long, the answer has defaulted to those already inside the technology sector or sitting behind desks. But the reality of the AI economy is far broader than any single industry.

At Microsoft, we believe that AI literacy should be as foundational as safety training on a job site. It is not about turning electricians into software engineers. It is about ensuring that an apprentice learning to install electrical systems in a data center also understands the technology those systems support and can use AI tools to work more safely, more efficiently, and with greater confidence.

That philosophy aligns directly with how we think about jobs and skills at Microsoft Elevate—not as a one-time event but as an ongoing investment in human potential that increases the opportunity for all.

This work with NABTU is part of a broader pattern of partnership between Microsoft and the labor community. In December 2023, Microsoft and the AFL-CIO announced a first-of-its-kind partnership between a technology company and a national labor organization focused on AI. That agreement established a framework for sharing AI insights with labor leaders, incorporating worker perspectives into technology development, and shaping public policy that supports frontline workers.

Since then, through our Microsoft Elevate initiative, we have continued to deepen our engagement with workforce organizations, educators, and community institutions. From partnerships with the American Federation of Teachers on the National Academy for AI Instruction to the National Education Association and National Association of Workforce Boards, our work with community colleges across the country, the thread that connects all of this work is a commitment to meeting people where they are—and making sure they have the skills and credentials to move forward.

The road ahead

Technology only fulfills its promise when it lifts people up, and the opportunity here is enormous. For this sector, for every industry that depends on it, for organizations of every size, and for individual workers and entrepreneurs. But it will only be realized if AI is designed and deployed around the realities of the work. In the trades, that means tools that are practical, trusted, and tailored so that AI can help more people stay in the field doing what they love, while opening doors to new kinds of growth.

Think about what that can mean for a contractor who’s running a small shop after a full day on the job: AI that helps draft and send invoices faster, reconcile receipts, and keep paperwork from piling up late at night. Or AI that can sift through public records—permits, zoning updates, capital plans, and procurement notices—to spot building trends in a community and flag where demand is headed next. Or tools that help identify bid opportunities and assemble first-draft scopes and materials lists based on prior jobs. On the job site itself, we believe AI can support safer work, such as summarizing daily plans, translating instructions, and surfacing the right checklist or standard, so people can focus on the work that requires human judgment.

There remain big questions about the impact of AI, and while we do not yet have all the answers, we do know that the future will not be built by technology alone. It will be built by the people who show up every day with skill and purpose to construct the world we all want to live in. If we continue to work together, AI can help expand opportunities: stronger businesses, safer job sites, better projects, and more people able to earn a great living in the communities they call home.

 

The post Putting AI to work with the building trades appeared first on Microsoft On the Issues.

Building AI defenses at scale: Before the threats emerge

7 April 2026 at 20:02

At AWS, we’ve spent decades developing processes and tools that enable us to defend millions of customers simultaneously, wherever they operate around the world. AI has been an extremely helpful addition to the automation our security and threat intelligence teams do every day, and we’re still early in this journey. Our AI-powered log analysis system has reduced the time SecOps engineers spend analyzing security logs from an average of six hours to just seven minutes, a 50x productivity increase that lets us detect and respond to threats faster than ever. Across AWS, we analyze over 400 trillion network flows per day to detect patterns that signal emerging threats. In 2025 alone, we blocked over 300 million attempts to maliciously encrypt customer files hosted on Amazon S3. At this scale, every improvement in our operations helps protect all customers. AI is already helping us make our defenses stronger for everyone, and I’m excited to see that improvement continue.

A new class of AI for cybersecurity

Today, Anthropic announced Project Glasswing, a cybersecurity initiative designed to secure the world’s most critical software and advance the cybersecurity practices the industry will need as AI grows more capable. Organizations that build or maintain critical digital infrastructure are getting early access to Claude Mythos Preview, a new class of AI model, to find and patch vulnerabilities in the systems the world depends on. Given our role in securing some of the world’s most essential infrastructure, AWS is playing an integral part in advancing this work.

As part of Project Glasswing, we’ve already applied Claude Mythos Preview to critical AWS codebases that undergo continuous AI-powered security reviews, and even in those well-tested environments, it’s helped us identify additional opportunities to strengthen our code. In our internal testing, Claude Mythos Preview has proven more productive than previous models at surfacing security findings, requiring less manual guidance from our engineers to deliver actionable results. We’ve also given early access to a select group of AWS customers, who are deploying Claude Mythos Preview in their own security workflows and helping shape how the model evolves.

As AI tools grow more powerful in their ability to identify security issues, so must our ability to use them defensively. To that end, we’ve been working closely with Anthropic to help ensure Claude Mythos Preview is ready for enterprise use. AWS is Anthropic’s primary cloud provider for mission-critical workloads, safety research, and foundation model development. More broadly, AWS provides the foundational infrastructure that the world’s leading AI companies rely on to build, train, and deploy their most advanced models. We’re bringing decades of security experience to this partnership, helping to ensure Claude Mythos Preview is ready for even more organizations to build upon and operate securely at scale.

Claude Mythos Preview signals an upcoming wave of models that can find vulnerabilities and build working exploits at a scale and speed we haven’t seen before. Anthropic and AWS are taking a deliberately cautious approach to release. Access begins with a small number of organizations, prioritizing internet-critical companies and open-source maintainers whose software and digital services impact hundreds of millions of users. The goal: find and fix vulnerabilities in the world’s most critical software. Claude Mythos Preview is available in gated research preview through Amazon Bedrock with enterprise-grade security controls, including customer-managed encryption, VPC isolation, and detailed logging, so your team can explore Claude Mythos Preview’s capabilities without exposing production assets to unnecessary risk.

AWS architects services with security at the core

Our work with Project Glasswing is grounded in a philosophy we’ve developed over two decades of securing mission-critical workloads: you can’t wait for threats to materialize before building your defenses. You have to look around corners, adopt new technologies, build protections first, deploy them in your own operations at scale, and refine them based on what you learn.

That’s exactly what we’ve done at AWS with AI and security. Our approach spans the full spectrum: proactive defense through threat hunting and vulnerability research, dynamic response to active campaigns, and third-party certifications that verify our security practices meet the highest industry standards. This operational experience has taught us where AI accelerates security work and where human judgment remains essential. And it’s reinforced that security innovation must be pragmatic: proven in production before we ask you to rely on it.

That’s also why we help define what secure AI looks like. We became the first major cloud provider to achieve ISO 42001 certification for AI services. We’re active participants in OWASP, the Coalition for Secure AI, and the Frontier Model Forum. And we co-founded the Open Cybersecurity Schema Framework (OCSF) to enable better threat intelligence sharing across the ecosystem. The AWS Nitro System provides mathematically proven isolation for workloads. Systems and services like KMS, Nitro, EKS, and Lambda are designed with zero-operator access architectures, meaning AWS personnel can’t access your data. These aren’t aspirational goals. They’re how we operate today, at scale, every day.

Amazon Bedrock is where these principles come to life for AI. Bedrock provides policy-enforced access controls, built-in evaluation tools to measure how effectively models identify and validate vulnerabilities, and the ability to run workloads inside your own virtual private cloud. AWS is also the first cloud provider to achieve FedRAMP High and Department of Defense Security Requirements Guide Impact Level 4 and 5 authorizations for generally available Claude foundation models. Amazon Bedrock is already where the most security-sensitive organizations trust Anthropic’s technology, and it makes perfect sense for Claude Mythos Preview.

How to get started today

The same principles that guide our work at AWS scale apply regardless of which AI tools you’re using: comprehensive observability, defense in depth, automation where it adds value, and human judgment where it’s essential. Here’s how to put them into practice.

Prepare for the next generation of AI security. Claude Mythos Preview signals an upcoming wave of AI models that will transform cybersecurity. Start strengthening your security posture now so your organization is ready as these capabilities become more broadly available. Claude Mythos Preview is available in gated preview through Amazon Bedrock, and access is limited to an initial allow-list of organizations. If your organization has been allow-listed, your AWS account team will reach out directly.

Run on-demand penetration testing with AWS Security Agent. Now generally available, AWS Security Agent delivers autonomous penetration testing that operates 24/7 at a fraction of the cost of manual penetration tests. It transforms penetration testing from a periodic bottleneck into an on-demand capability that scales with your development velocity across AWS, Azure, GCP, other cloud providers, and on-premises. AWS Security Agent represents a new class of frontier agents: autonomous systems that work independently to achieve goals, scale to tackle concurrent tasks, and run persistently without constant human oversight. It deploys specialized AI agents to discover, validate, and report security vulnerabilities through sophisticated multi-step scenarios. Unlike traditional scanners that generate findings without validation, AWS Security Agent identifies potential vulnerabilities, then attempts to exploit them with targeted payloads and attack chains to confirm they are legitimate security risks. Each finding includes CVSS risk scores, application-specific severity ratings, detailed reproduction steps, and remediation suggestions. The result: penetration testing that once took weeks now completes in hours, scales across your entire application portfolio, and helps you get started with remediation instead of leaving you with a report. New customers can explore AWS Security Agent with a 2-month free trial.

Build AI applications you can trust with Amazon Bedrock. For teams building with generative AI, the challenge isn’t just making AI work, it’s making AI work safely. Amazon Bedrock provides the security and safety controls you need to deploy AI responsibly. Its Automated Reasoning capability is the first and only AI safeguard to use formal logic to help prevent factual errors from hallucinations, providing verifiable explanations with 99% accuracy, a capability we’ve refined over more than a decade of applying formal methods across AWS storage, identity, and networking. Amazon Bedrock also provides customizable guardrails that block harmful content and enforce your content policies, along with comprehensive observability to track AI behavior and detect anomalies across your workloads.

The threat landscape isn’t waiting

The threat landscape isn’t waiting for us to catch up. Nation-state actors, ransomware operators, and supply chain attackers are already using AI to scale their operations. Our job is to stay ahead by building defenses first, deploying them at scale, and sharing what we learn so the entire community benefits.

That’s what we do every day at AWS. We build in security from the start, ensuring it works and scales before we ask customers to rely on it. We set standards rather than follow them. And we look around corners to address tomorrow’s challenges today.

As AI capabilities continue to evolve, this approach won’t change. We’ll keep building defenses first, refining them at scale, and working with partners like Anthropic to ensure the next generation of AI security tools meets the real-world needs of enterprises defending at this scale.

Learn More

If you have feedback about this post, submit comments in the Comments section below.

Amy Herzog

Amy Herzog is Vice President and Chief Information Security Officer (CISO) at Amazon Web Services (AWS) where she leads a global organization of cloud security professionals in a company in which security is the top priority. Prior to joining AWS, Amy served as CISO for Amazon’s Devices and Services, Media and Entertainment, and Advertising businesses, overseeing the security of consumer technology offerings such as Alexa+ and Ring, and playing a key role in the secure development of Project Kuiper, Amazon’s initiative to provide fast, reliable broadband to customers and communities around the world through low earth orbit satellites.

Building AI infrastructure the Community-First way in Canada

7 April 2026 at 20:00

For more than 40 years, Microsoft has supported and scaled Canadian innovation. Now, with more than 5,300 employees and 11 offices across Canada, Microsoft Canada’s technology ecosystem is a trusted partner and key driver of economic opportunity across the country, with $60 billion contributed to Canada’s GDP each year through our cloud customers and partner network and more than 426,000 jobs supported—over 2% of Canada’s workforce.  

As we look ahead, we are proud to be building the critical infrastructure Canada needs to power its digital future. 

In December 2025, Microsoft announced the largest investment in our history in Canada, a $19 billion commitment between 2023 and 2027 to expand cloud and AI infrastructure, strengthen digital sovereignty, advance cybersecurity, and support skills and jobs for Canadians. 

Today, as we move from investment to implementation, we want to share how we are putting those commitments into practice through a Community-First approach to AI infrastructure, one that is globally consistent in principle and delivered in ways that reflect Canada’s communities, institutions, and priorities. 

Community First, Built for Canada 

AI infrastructure brings enormous opportunity. But we know Canadians also have real questions about affordability, energy and water use, jobs, and the impact large-scale infrastructure has on local communities. 

Those questions matter. Technological progress only works when communities see themselves in the benefits.  

At Microsoft, we believe communities should share in the benefits of AI infrastructure, and they should not bear the costs. That belief is reflected in five CommunityFirst principles that guide how we build and operate datacentres around the world—and how we partner locally in Canada: 

Together, these principles shape how we build and operate our datacentres across Ontario and Québec and how we partner with governments, utilities, educators, community organizations, labour groups, and local nonprofits.

Below, we outline what each principle means in practice and the concrete steps we are taking to put these commitments into action here in Canada.

Paying our way on electricity

As Canada expands AI and cloud capacity, electricity systems are under pressure. Microsoft is committed to ensuring that our datacentres do not increase electricity prices for Canadians. In practical terms, this means that our infrastructure growth must be matched by responsible planning, full cost recovery, and investments that support long-term system reliability.

While electricity systems are provincially governed and solutions vary by region, our commitment is consistent across the country: AI infrastructure growth must support grid resilience and affordability for communities.

To deliver on this principle, Microsoft will:

  • Work closely with provinces, utilities, system operators, and regulators to plan new supply in advance
  • Design and operate highly energy-efficient datacentres
  • Support public policies that advance affordable, reliable, and sustainable power
  • Pay the full cost of the electricity we use, including the cost of new generation, transmission, and grid upgrades

Our commitment in action

In Ontario and Québec, we are working closely with provincial governments, utilities, system operators, and regulators to align datacentre growth with planned investments in generation and transmission.

We pay the full cost of the electricity we use. We also continue to design and operate next-generation datacentres that are significantly more energy efficient, reducing the amount of energy required for each unit of computing while scaling to meet growing demand.

To date, we have also paid for substations and fully dedicated the substations and land to provincial utilities. By paying our full share and planning ahead, we aim to support Canada’s economic growth without overstressing the electric grid or shifting costs onto households or small businesses.

Managing water responsibly 

Canada’s cooler climate is a real advantage when it comes to water stewardship. In Ontario and Québec, our datacentres are designed with a reduction-first approach, relying primarily on outside air and using water for cooling less than 5% of the year. When water is used, it is cycled efficiently through the system multiple times and managed in compliance with local regulations. This results in relatively low projected water withdrawals that reflect both local conditions and responsible designs. 

Microsoft’s approach to water in Canada prioritizes: 

  • Minimizing potable water use through efficient design and advanced, industry-leading cooling technologies that maximize free air cooling, limiting the use of water 
  • Transparency and early engagement with provincial and local authorities on water decisions 

Where communities identify opportunities to strengthen local water systems, we believe infrastructure investment should contribute to broader watershed health, not compete with it. 

Our commitment in action 

To bring this principle to life, Microsoft is taking locally grounded steps to strengthen water systems in the Canadian communities where we operate. 

In Ontario and Québec, we will partner on regionspecific water projects that improve infrastructure resilience, restore watersheds, and support long-term stewardship. These projects, developed with local governments, conservation partners, and research institutions, include: 

  • Rainwater harvesting: We design our facilities to make use of what is already available. We’ve implemented rainwater harvesting that further offsets freshwater demand. Our onsite systems are projected to capture approximately 1.5 million litres of rainwater per year for use in datacentre operations. 
  • LEED Gold certification is incorporated into Canadian datacentre designs. All Canadian datacentres will be monitored throughout the construction lifecycle and will undergo the certification process as they near completion.  
  • Wetland and watershed restoration initiatives that improve water quality and reduce flood risk, including supporting Ducks Unlimited Canada to plant hundreds of trees and shrubs in the Lorette River Watershed. 
  • Projects that strengthen monitoring, conservation, and long-term ecosystem health, including a donation toward the preservation of 325 acres of wetland in the Niagara Escarpment. 

Together, these efforts reflect a reduction first approach: minimizing reliance on potable water in our datacentres while investing in the resilience of shared water systems communities depend on every day. 

Creating jobs and economic opportunity 

In Canada, Microsoft’s datacentre construction is delivered through unionized skilled trades labour, supporting high quality jobs, strong safety standards, and apprenticeship pathways. Beyond construction, our focus is on building durable pathways into longterm careers connected to AI infrastructure and the digital economy. Through partnerships with educators, workforce organizations, and labour groups, Microsoft is working to ensure that Canadians can access the jobs created by this investment. 

Our commitment in action

We are advancing this principle through several concrete steps: 

  • Increasing transparency: We will publish clearer information on the jobs created and local suppliers engaged at our Canadian datacentre sites. This will include aggregated national figures, with local detail available where appropriate, providing communities, governments, and stakeholders with a clearer picture of how AI infrastructure investment supports local economies. Microsoft’s datacentre builds in Canada employ approximately 2,000 individuals across sites during construction. Additionally, more than 400 Canadian businesses are involved during the construction phase. Once built and operational, Microsoft’s Canadian datacentres will employ approximately 250 FTEs, and approximately 400 contractors to maintain and operate its sites.  
  • Deepening labour partnerships: We will continue to work with Canadian trade unions and workforce organizations, leveraging existing North American relationships and Canadian labour expertise to support safe, skilled, and inclusive job creation. 

Contributing to local communities 

Datacentres are longterm investments. They contribute directly to municipal tax bases, helping fund essential public serviceswithout asking for special tax treatment. 

The arrival of a corporate citizen like Microsoft is a real benefit to our community in L’Ancienne-Lorette, particularly through significant contribution to municipal tax revenues. It also points to a positive impact on community engagement, with discussions already underway.” 

-  Gaétan Pageau, Mayor, City of L’Ancienne-Lorette

Strong communities are essential to sustainable growth. That is why Microsoft invests not only in infrastructure, but also in the social and economic foundations that support it.   

Our commitment in action 

Across Ontario and Québec, we are continuing to expand partnerships that support: 

  • Workforce training and economic inclusion, including digital skilling for underrepresented groups through NPower Canada 
  • Donations to support environmental conservation, restoration, and climate resilience projects with Ducks Unlimited Canada 
  • Digital access and community led innovation, including support for local community projects through the Microsoft community funds 

These investments help ensure that AI infrastructure contributes to the vitality of the communities where it is built.

Investing in skills and what comes next 

Infrastructure alone is not enough. The real opportunity comes when its benefits are widely shared. It is the foundation upon which others build: startups launching new ideas, researchers advancing discovery, educators preparing the next generation, and governments and communities solving real challenges. 

To fully realize the promise of AI, Canadians must have access to the skills, tools, and opportunities to participate in, and shape the AI economy. That means ensuring AI doesn’t remain concentrated in a few places or organizations, but instead diffuses across our economy and communities, empowering people in every sector to innovate, build, and lead. 

Our commitment in action 

Microsoft is announcing several new Canada specific actions to expand access to AI and digital skills: 

  • Launching national AI skilling initiatives: Through Microsoft Elevate, we are launching a new National AI Skilling Grant with Digital Moment to expand AI Education Training, delivering free, bilingual AI workshops and classroom ready resources to 20,000 educators and students across the country. 
  • Advancing Indigenous AI fluency: Microsoft Elevate is partnering with Ampere and the Pinnguaq Foundation to further support Indigenous AI Fluency and Workforce Readiness Hubs – a national network of 13 makerspaces supporting AI learning, data privacy, and workforce readiness for youth and communities, including integration supporting teachers and students in Nunavut’s K–12 and post-secondary education system. 
  • Empowering the nonprofit sector: In Canada, we are launching Microsoft Elevate for Changemakers and AI for Nonprofits credential through a community-led approach in partnership with Canadian Centre for Nonprofit Digital Resilience (CCNDR) and Digital Moment. CCNDR anchors the work in nonprofit trust, sector insight, and national reach, while Digital Moment will lead with high quality training and delivery in both official languages. Together, this new credential will equip 5,000 nonprofit professionals and leaders across Canada with practical, responsible AI skills they can apply immediately in their work. 

Building the future, together 

AI infrastructure is most powerful when it is built with trust, transparency, and partnership. That is why our approach starts and ends with communities. We are committed to building AI infrastructure in Canada in a way that earns trust, supports local priorities, and strengthens long term prosperity. As this work continues, we will keep listening, learning, and engagingbecause building the future of AI means building it with communities, not just in them. 

 

 

The post Building AI infrastructure the Community-First way in Canada appeared first on Microsoft On the Issues.

Working constructively with the UK CMA to support customer choice and cloud competition

31 March 2026 at 13:09

Today we are sharing news about important changes we are making in our cloud services offerings in the United Kingdom. These changes address issues the Competition and Markets Authority (CMA) has raised and  reviewed as part of its Cloud Market Investigation Report, announced in July 2025.

In conjunction with the CMA’s extensive review, today’s changes will apply to UK customers using Microsoft Azure. The changes address the CMA’s commitment to ensuring that UK customers can continue to move, deploy, and operate their workloads in the clouds of their choice with confidence, flexibility, and ever-reduced friction. The changes are focused on data egress, switching, and interoperability, and are described in a more detailed fact sheet accompanying this statement. We will implement all these changes promptly. We will also proactively share information about these changes with other regulators around the world.

We recognize that the CMA will continue to review and assess additional issues relating to our products and services, including in the business software market. We are committed to working quickly and constructively to address these issues, including by providing all the information the CMA needs to move forward with its reviews.

The cloud and AI markets continue to change at an unprecedented pace. The cloud market itself remains intensely competitive, with large investments by Amazon, Google, Oracle, and new neo-cloud entrants and, ironically, with Google, a complainant in this review, growing faster in the last quarter of 2025 than Amazon or Microsoft.

Especially in times of such dynamic change, a thorough regulatory review requires rapid access to real-world market data and customer input. This is the only way regulators can act in a targeted and agile manner that brings faster changes to the market while fostering continued innovation and investment. This type of work always requires dialogue on both sides. We appreciate the opportunity we have had for direct and constructive conversations with the CMA and its staff and look forward to an ongoing dialogue in relation to relevant cloud issues in the future.

Microsoft has long been committed to addressing the competition and antitrust issues raised by regulators and enforcement agencies through constructive engagement, transparency, and a willingness to address concerns promptly and in practical ways. We believe this has served our shareholders and customers well, avoiding protracted litigation, legal defeats, and large fines.

 

The post Working constructively with the UK CMA to support customer choice and cloud competition appeared first on Microsoft On the Issues.

Empowering the nonprofit sector to meet tomorrow’s challenges 

25 March 2026 at 16:30

As we welcome more than 1,500 nonprofit leaders from around the world to Microsoft’s Global Nonprofit Leaders Summit, we are reminded of the extraordinary work nonprofit organizations do every day to strengthen communities and expand opportunity. Today’s gathering comes at a pivotal moment, as nonprofits confront a new set of questions: How can AI help them serve their communities more effectively? And how do they build the skills and capacity to lead this change from within?

Major technological transitions rarely unfold evenly. As AI diffuses across economies and sectors, it creates new opportunities, but it also introduces significant disruption for workers, families, and communities. Nonprofits are uniquely positioned to drive meaningful change in today’s world. They are the organizations people turn to first to support people as they develop new skills, find new pathways to employment, and stay connected to the systems that sustain them.

To help them maximize their impact with greater scale and efficiency, today we are announcing Microsoft Elevate for Changemakers, a new initiative that provides nonprofit leaders with essential AI credentials, access to a strong peer community, and role-based capacity-building resources. This program is designed to empower those at the forefront of social challenges to confidently lead AI adoption in ways that reflect their missions and the communities they serve.

This new program is part of our broader Microsoft Elevate commitment to ensure people can thrive in the AI economy and reflects Microsoft’s 50-year legacy of supporting nonprofits. As an organization, we are proud to partner with nearly one million nonprofits and education systems globally, and in the next year alone we will deliver more than $5 billion in discounts, donations, and grants to help nonprofit organizations address community needs.

Backed by Microsoft’s pledge to ensure everyone has opportunity in the AI era, Microsoft Elevate for Changemakers helps ensure that those working closest to community challenges remain at the leading edge of AI-powered solutions.

The new Microsoft Elevate for Changemakers program includes: 

  • AI for Nonprofits credential: The AI for Nonprofits credential is a professional certificate, developed with LinkedIn and NetHope, that gives participants a clear, structured learning path built around the real work happening across the nonprofit sector. Earners receive a LinkedIn professional certificate, providing formal recognition of their growing expertise and their commitment to responsible AI use in their organizations.
  • Live and on-demand AI training to build capacity: Practical skills training built around real nonprofit work, not generic AI content repackaged for the sector. From Copilot fundamentals to change management to responsible AI governance, every module is designed to simplify workflows for nonprofits and help them do more with ease.
  • A Changemaker Fellowship, a global program for nonprofit professionals at organizations with actionable AI projects ready to advance their missions. This fellowship provides the essential resources, investment, and expert guidance needed to turn AI ambition into lasting impact. Fellows will join a worldwide cohort, create and implement responsible AI adoption plans, develop critical technical and change management skills, and connect with a trusted network of nonprofit AI leaders—all with support from Microsoft and launch partners, including EY and Caribou. The Changemaker Fellowship is now open to nonprofits of all backgrounds.

Those ready to make a difference with AI can register their interest today at Aka.ms/MicrosoftElevateforChangemakers.

Transforming possibilities by empowering nonprofits

At its best, AI should expand human agency rather than replace it. The real opportunity is to give people more capacity to solve problems, build new ideas, and strengthen the communities around them.

Across the nonprofit sector, this is already taking shape in practical ways:

  • Enriching staff time. Much of a typical nonprofit employee week does not directly contribute to the mission work. In fact, research finds that nearly half of nonprofit organizations still use manual data entry and spreadsheets for compliance documentation, meeting summaries, case notes, and other operations. AI reduces that burden in ways that are already real and measurable, giving people more of their week back for the work they came to do. ARCare, a healthcare provider in underserved communities across Arkansas, Kentucky, and Mississippi, is already seeing the benefits of its use of AI technology. With AI handling administrative tasks, staff spend less time on data collection and more time on patient care, and they estimate they have eliminated 6–8 hours a day of manual tasks.
  • Delivering more impactful programs. AI gives nonprofits the ability to scale what works without losing what makes it work. Opportunity International is using AI to scale impact through a local language chatbot to provide farmers with instant agricultural guidance, overcoming literacy barriers and dramatically expanding reach. By making critical knowledge accessible, AI frees frontline teams to focus on relationships, mentoring, and the long-term change that traditional programs alone can’t achieve.
  • Engaging supporters and funders more effectively. Raising funds, obtaining grants, and building donor relationships are often the most important strategic priorities—and challenges—for nonprofits that are facing growing demand for services at a time of economic uncertainty. AI doesn’t replace donor relationships. It gives the people managing those relationships more time and capacity to focus on what builds them. Head Start Homes found that as AI increased their organizational bandwidth, they could scale programs and attract new funding.
  • Transforming operations. AI gives nonprofits the ability to innovate and optimize how they work, bringing greater security, sharper data, and more informed decision-making to every part of the organization. The result is less time spent managing complexity and more capacity directed toward results. The social housing organization, de Alliantie, is a good example. Using AI has allowed de Alliantie to boost efficiency while keeping a human-centered approach to housing support at the center of everything they do. With more than 3,000 calls coming in each week for housing support, using an AI chatbot allowed call center staff to help more people, because the goal was never efficiency for its own sake. It was to make sure the human benefit always comes first.

These real stories of AI empowering mission-driven organizations are made possible by dedicated individuals within nonprofits who are stepping forward to lead transformative change, often without formal recognition or an official mandate. It is their willingness to embrace new technology, learn new skills, and champion responsible AI adoption that is propelling the sector forward.

The work ahead

The millions of global changemakers, volunteers, and leaders across the nonprofit sector are redefining what is possible, ensuring that AI serves as a tool to amplify human capacity and purpose, rather than replace it. Their commitment and leadership are the driving force behind a future where nonprofits harness AI to deliver greater impact, deepen relationships, and strengthen communities.

The path forward will be shaped by the strength and leadership of the nonprofit sector. Every day, these organizations demonstrate what it means to stay close to communities, respond in moments of change, and help people navigate uncertainty with trust and consistency.

That is what makes this moment different. As AI becomes more widely adopted, the organizations best positioned to ensure its benefits are broadly shared are the ones already doing this work.

At Microsoft, we are building on a tradition of support for this sector that began five decades ago with our founder and continues today. Ours is a long-term commitment. Not just as a technology partner, but as part of a broader effort to help ensure the benefits of AI reach the communities nonprofits serve. We will continue investing in the capacity, tools, and partnerships that support this work and look forward to building what comes next together.

The post Empowering the nonprofit sector to meet tomorrow’s challenges  appeared first on Microsoft On the Issues.

Connecting Threat Intelligence to Decision-Making: How Flashpoint Is Operationalizing Intelligence in 2026

Blogs

Blog

Connecting Threat Intelligence to Decision-Making: How Flashpoint Is Operationalizing Intelligence in 2026

At RSA Conference 2026, Flashpoint introduces new capabilities that enable security teams to move from visibility to defensible action by connecting adversary activity to business priorities, assets, and investigations.

SHARE THIS:
Default Author Image
March 23, 2026

Most organizations are not lacking visibility, but they are drowning in large volumes of information that are difficult to prioritize and even harder to tie back to clear action. In practice, this creates a familiar problem.

They can see what vulnerabilities exist.
They can track threat activity.
They can monitor alerts across their environment.

But the questions they struggle to answer are more important:

Which of these exposures actually matter?
What do we fix first — and why?
How does this activity translate to risk for the business?

As a result, teams fall back on patching cycles, compliance requirements, or best-effort prioritization and are left making decisions based on incomplete context.

This gap between data and decision-making has become one of the most persistent challenges in modern security operations.

At RSA Conference 2026, Flashpoint is sharing how we are addressing this gap directly — connecting adversary activity to assets, investigations, and defined business priorities so teams can make more consistent, defensible decisions.

“The industry has reached a tipping point where security teams are drowning in data that fails to align with their most important business requirements and decisions. Visibility alone is no longer a victory; it’s a baseline. By connecting underground adversary activity to an organization’s specific attack surface and strategic requirements, Flashpoint is raising the bar beyond passive observation. We are enabling defenders to stop asking ‘what do we own’ and start answering ‘what do we fix first, and why,’ turning raw data into an engine for risk reduction at speed.”

Josh Lefkowitz

What Flashpoint is Showcasing at RSA Conference 2026

Flashpoint is introducing a set of capabilities designed to connect threat intelligence directly to business risk, assets, and investigations:

  • Threat-informed External Attack Surface Management (EASM)
  • Business-Aligned Priority Intelligence Requirements (PIRs)
  • Managed Attribution browser for anonymous investigations

Together, these capabilities enable organizations to move beyond passive monitoring and toward intelligence-driven action.

What Is Threat-Informed External Attack Surface Management (EASM)

Most organizations maintain an inventory of their external assets, but prioritizing them is a persistent challenge. Traditional EASM tools identify what you own but often fail to answer the critical “so what?”. Without contextual risk, prioritization is often driven by static severity scores, patch cycles, or compliance requirements rather than real-world attacker behavior. As a result, teams are left managing stale data through manual CSV uploads and struggling to determine which exposures actually matter.

Flashpoint’s EASM module transforms this stream of exposure data into a prioritized action plan. It continuously discovers a customer’s external attack surface, including domains, subdomains, and IP addresses, and automatically maps this live inventory directly to Flashpoint’s industry-leading vulnerability intelligence.

This allows security teams to:

  • Maintain a Dynamic Inventory: Eliminate manual uploads and stale CMDB exports with an always-current map of internet-facing assets.
  • Contextualize Risk Immediately: Go beyond simple asset discovery by mapping the specific software running on each asset to known vulnerabilities, including pre-NVD findings.
  • Prioritize with Precision: Connect the asset to the actual risk, showing teams not just their external exposure, but where they are truly vulnerable and what needs to be fixed first.

By layering deep vulnerability intelligence onto live asset discovery, Flashpoint enables defenders to move from reactive analysis to proactive, intelligence-driven risk reduction.

Why Priority Intelligence Requirements (PIRs) Are Foundational

Many intelligence teams operate without a formal structure that defines what their work is intended to support.

In day-to-day operations, this results in:

  • Reactive investigation of incoming alerts
  • Reporting driven by the availability of information rather than the need
  • Difficulty demonstrating how intelligence outputs influence decisions

Priority Intelligence Requirements (PIRs) are designed to address this, but in many organizations, they are not integrated into operational workflows.

In May, Flashpoint is introducing in-platform Intelligence Requirements to formalize this structure and embed it directly into the way teams work.

Alerts, investigations, and reporting can be tied to defined requirements, allowing teams to:

  • Focus on activities that directly align with defined business risk priorities
  • Maintain consistency in what is tracked and reported
  • Provide a clearer justification for the intelligence work being done

This creates a more structured intelligence program. Instead of producing outputs based on what is observed, teams can align their work to defined objectives and decision-making needs.

Enabling Safe, Scalable Investigations with Managed Attribution

Accessing adversary-controlled environments such as forums, marketplaces, and encrypted platforms is a core part of many intelligence workflows.

However, doing so safely requires careful setup. Analysts typically need to:

  • Use isolated infrastructure
  • Manage attribution and identity exposure
  • Avoid introducing risk to internal systems

This creates operational overhead and can slow down or limit investigation.

The new anonymous browser capability within Flashpoint Managed Attribution is designed to address this by providing a non-persistent, isolated environment for research and immediate triage. This removes setup friction and allows analysts to move immediately from detection, to investigation, to deeper analysis in the same environment.

Analysts can:

  • Access underground communities
  • Open suspicious links or files
  • Engage with threat actors

Without exposing their identity or internal infrastructure.

By removing the need for manual setup, this allows analysts to move directly into investigation while maintaining operational security. 

See it at RSA Conference 2026

Security teams are being asked to do more than identify threats. They are expected to prioritize, act decisively, and justify those decisions.

That becomes difficult when the inputs — vulnerabilities, alerts, threat reporting — are not clearly connected to each other or to the business.

​​Intelligence needs to be tied to assets, aligned to defined priorities, and usable in day-to-day workflows. That’s the focus of Flashpoint’s updates this year.

At RSA Conference 2026, we’ll be walking through how this works in practice—how teams are connecting adversary activity to what they own, what matters, and what they do next. Flashpoint will be sharing more on these new innovations, including threat-informed EASM, in-platform Intelligence Requirements, and the Managed Attribution browser.If you’re attending, stop by Booth S-3341 to see how teams are moving from visibility to action. For a personalized demo, schedule a meeting with us.

Frequently Asked Questions

What is Flashpoint showcasing at RSA 2026? 

Flashpoint is showcasing how its primary-source threat data connects directly to business assets and priorities. At the booth, attendees can get a sneak peek of the upcoming in-platform Priority Intelligence Requirements (PIRs), which formalize how security teams tie investigations to business risk. Flashpoint will also be discussing the upcoming general availability of threat-informed EASM for asset discovery and risk prioritization, alongside the Flashpoint Managed Attribution browser, designed for secure underground research.

What is Flashpoint Threat-Informed EASM? 

Flashpoint External Attack Surface Management (EASM) goes beyond simple asset discovery by automatically mapping your external footprint to our industry-leading vulnerability intelligence. This allows teams to prioritize remediation by identifying which software versions are actually running on key assets, flagging critical risks often missed by public databases.

How do Flashpoint Priority Intelligence Requirements (PIRs) help security teams? 

Flashpoint PIRs provide a formal in-platform structure that ties security alerts and investigations to specific business risks. This helps teams move away from reactive “activity-based” work and toward “decision-based” intelligence that is defensible to executive stakeholders.

What are the benefits of the Flashpoint Managed Attribution browser? 

The Flashpoint Managed Attribution browser allows threat analysts to safely research the web using a disposable, anonymous environment. This prevents the analyst’s identity from being exposed and protects the corporate network from malware while conducting underground research.

How does Flashpoint’s new offering support a Continuous Threat Exposure Management (CTEM) framework?

Flashpoint facilitates the CTEM lifecycle by providing the primary source data necessary to move beyond traditional point-in-time scanning. EASM enables organizations to start focusing on the specific vulnerable software and high-risk exposures that threat actors are actively targeting.

Begin your free trial today.

The post Connecting Threat Intelligence to Decision-Making: How Flashpoint Is Operationalizing Intelligence in 2026 appeared first on Flashpoint.

New findings show how hands-on support can improve water sector cybersecurity

19 March 2026 at 15:01

Cyber threats to water systems are no longer hypothetical. When attacks succeed, communities can face loss of trust, safety concerns, or service disruptions.

Today, Microsoft, in collaboration with the Cyber Readiness Institute (CRI) and the Center on Cyber Technology and Innovation (CCTI), is releasing a report that examines both the urgency of this challenge and what it will take to close the cyber readiness gap in the water sector. The report draws on a pilot program that provided water and wastewater utilities with practical cybersecurity training paired with hands‑on coaching, testing whether real-world support can meaningfully improve cyber readiness.

The findings point to a clear conclusion: improving cyber resilience in the water sector is achievable when training is paired with hands-on support and delivered through trusted sector partners. Because of the success of this pilot, the program is now a permanent offering, giving water utilities continued access to practical training and support to strengthen cyber resilience and better protect their communities from evolving threats.

Why cyber resilience in the water sector matters now

Water and wastewater utilities underpin public health, economic activity, and community resilience across all critical infrastructure. Yet recent assessments from the U.S. intelligence community and public reporting on cyber incidents underscore how exposed many systems remain. Even larger, well-resourced utilities have experienced cyber incidents, highlighting vulnerabilities that are far more pronounced among smaller operators serving rural and underserved communities.

Awareness of cyber risk is growing, but awareness is not preparedness. The challenge is how to move from growing awareness to sustained, operational readiness, especially for utilities with limited time, funding, and technical capacity.

What the pilot set out to test and what it showed

The CRI pilot was designed to answer a practical question facing the water sector: can accessible, behavior‑focused cybersecurity training paired with hands‑on support meaningfully improve cyber readiness?

Participating utilities used CRI’s free Cyber Readiness Program, which focuses on core cybersecurity practices such as strong authentication, software updates, phishing awareness, and secure data handling. Utilities also had access to CRI Certified Cyber Coaches, who worked directly with designated “Cyber Leaders” inside utilities to help translate training into policies, playbooks, and incident response planning. This model paired accessible training with personalized support to help utilities make meaningful progress despite resource constraints. The pilot revealed three clear findings about what helps and what limits cyber readiness in the water sector.

  • CRI program improves readiness: Participating utilities reported stronger cybersecurity fundamentals, greater confidence responding to incidents, and the identification of previously undocumented, yet critical, gaps such as missing continuity plans and weak password practices.
  • Hands-on support accelerates success: Utilities paired with a CRI‑certified coach were significantly more likely to complete the program than those participating on a self‑paced basis.
  • Demand exceeds capacity: While interest in cybersecurity support is high, staffing shortages, limited funding, and dependence on third-party vendors continue to limit utilities’ ability to fully implement improvements. Participation data helps explain this finding: of the 113 utilities that expressed initial interest, 72 began the program and 43 completed it.

Implications for policymakers and the ecosystem

The findings point to a central takeaway for policymakers and the ecosystem: improving cybersecurity outcomes requires moving beyond sharing information to providing hands-on support that helps utilities implement and sustain change.

  • Free resources are necessary but not enough: No-cost guidance alone cannot overcome staffing and funding constraints. Effective programs must include implementation support, like cyber coaches, to drive real outcomes.
  • Incentives increase participation: Tying cybersecurity training to operator licensing or continuing education requirements helps embed cyber readiness into routine professional development.
  • Trusted messengers drive engagement: Participation and completion were highest when programs were facilitated through established sector associations and networks that utilities already trust.

A path forward through collaboration

The lesson from this pilot is clear: cyber readiness improves when training is paired with hands‑on support and facilitated through trusted partners. But the findings also underscore a broader reality: lasting progress will require moving beyond information sharing toward approaches that build real, sustained capacity building on the ground.

At Microsoft, this work reflects a practical commitment to supporting cyber resilience across critical infrastructure, helping to move from awareness to action. Addressing the challenges identified in this report will require continued collaboration among policymakers, sector associations, nonprofits, and the private sector.

This work also complements Microsoft’s broader commitment to be water positive, including minimizing our water use and replenishing more water than we consume[1][2], by helping strengthen the resilience of the water systems and utilities that serve communities. Supporting practical cyber readiness is one way we can contribute to more resilient water systems for the future.

[1] Sustainability | Microsoft

[2] Building Community-First AI Infrastructure – Microsoft On the Issues

The post New findings show how hands-on support can improve water sector cybersecurity appeared first on Microsoft On the Issues.

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

Blogs

Blog

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

This post tracks the convergence of kinetic warfare, psychological operations, and cyber activity as the conflict expands across the Middle East and beyond.

SHARE THIS:

On February 28, the United States and Israel launched coordinated strikes across Iran under Operation Epic Fury (also referenced in reporting as Operation Lion’s Roar). The opening phase focused on decapitating senior Iranian leadership while degrading missile infrastructure, launch systems, and air defenses. In the hours that followed, Iran initiated large-scale retaliation — expanding the conflict beyond Iranian territory and into a region-wide exchange that touched multiple Gulf states and allied military assets.

Since those initial strikes, the conflict has rapidly widened and accelerated. What began as a concentrated campaign against leadership and missile capabilities has developed into a sustained regional war with an expanding set of targets, including economic and logistical infrastructure. Simultaneously, cyber operations and psychological messaging have been used alongside kinetic action, creating a hybrid operating environment in which disruption is shaped as much by information control and infrastructure compromise as it is by missiles and airstrikes.

Flashpoint analysts are tracking the conflict across physical, cyber, and geopolitical domains. The timeline and sections below summarize key developments and risk indicators observed from February 28 through May 4.

Latest Update: Escalation Across Maritime, Cyber, and Economic Domains (Last 24–48 Hours)

The conflict has entered a phase of direct maritime and economic confrontation, with both kinetic and cyber activity intensifying in parallel.

Following the collapse of diplomatic efforts, the United States has formally initiated a naval blockade of Iranian ports, while Iran has responded by deploying midget submarines and reportedly mining key transit routes in the Strait of Hormuz. These developments signal a shift from pressure on infrastructure to direct control over regional shipping and energy flows.

At the same time, cyber operations have escalated beyond disruption into claims of large-scale destructive activity targeting industrial and government systems across the Gulf. While some of these claims remain unverified, the volume and nature of activity indicate a sustained effort to degrade both public-sector and commercial infrastructure.

Timeline of Key Developments

May 4
~06:00 UTC
CENTCOM announces the commencement of “Project Freedom” to secure maritime transit through the Strait of Hormuz.
~08:30 UTC
The IRGC Navy declares a new operational control sector in the Strait, warning that vessels failing to coordinate transit will be “stopped with force”.
10:15 UTC
Iran launches a barrage of four cruise missiles toward the UAE; three are intercepted by UAE air defenses while one falls into the sea.
11:00 UTC
A drone strike targets an ADNOC oil tanker in the Gulf.
13:45 UTC
The South Korean Ministry of Foreign Affairs confirms a South Korean vessel was struck in its engine room while transiting the Strait.
15:30 UTC
Handala Hack announces “Operation Premature Death,” releasing the names and ranks of 400 US Navy officers.
17:00 UTC
IRGC releases footage purportedly showing strikes on US vessels; CENTCOM dismisses these claims as false.

What This Means

This phase of the conflict reflects a shift toward combined economic and operational pressure:

  • Maritime control is now central: The blockade and countermeasures in the Strait of Hormuz introduce sustained risk to global shipping, energy transport, and supply chains.
  • Cyber operations are aligning with physical objectives: Activity targeting industrial systems and government infrastructure suggests an intent to create downstream operational disruption, not just visibility or signaling.
  • Private-sector exposure continues to expand: Western-linked infrastructure—particularly in energy, logistics, and cloud environments—remains within scope of both kinetic and cyber targeting.

Immediate Outlook (Next 48–72 Hours)

Further escalation is highly likely.

Iranian retaliatory activity may target US or Israeli assets in the near term, while continued pressure on maritime routes is expected to sustain volatility in global energy markets. At the same time, divergence among Western partners may create additional operational uncertainty, particularly for organizations relying on regional stability for logistics, infrastructure, or personnel movement.

How the Conflict Evolved

Since the opening strikes on February 28, the conflict has progressed through a series of rapid shifts—each expanding both the scope of targeting and the systems under pressure. What began as a tightly scoped military operation has developed into a sustained, multi-domain conflict affecting regional infrastructure, global markets, and private-sector operations.

This evolution is best understood not as a linear escalation, but as a sequence of overlapping phases that introduced new targets, new tactics, and new forms of risk.

Phase 1: Decapitation and Immediate Regional Spillover

(February 28)

The conflict began with a coordinated US–Israeli campaign targeting senior Iranian leadership and missile infrastructure. The objective was clear: degrade Iran’s ability to project force through its ballistic and air defense systems.

That containment window was brief.

Within hours, Iran launched retaliatory strikes across the Gulf, targeting US and allied military installations in Kuwait, Qatar, and Bahrain. Civilian and commercial systems were immediately affected, including flight disruptions in Dubai and early instability in maritime routes near the Strait of Hormuz.

From the outset, the conflict was regional—not bilateral—and it unfolded across military, commercial, and civilian environments simultaneously.

Phase 2: Regional Expansion and Civilian Exposure

(March 1–3)

Within the first 72 hours, the battlespace widened significantly.

Air operations extended directly over Tehran, signaling degradation of Iranian defensive capabilities. At the same time, new fronts emerged, including Hezbollah activity along Israel’s northern border. Targeting patterns began to shift, with incidents affecting civilian-adjacent infrastructure such as hotels, diplomatic sites, and transit hubs.

This period also marked the early alignment of cyber and information activity with kinetic operations. While still limited in impact, these efforts reflected a broader strategy: shaping disruption beyond the battlefield.

Phase 3: Infrastructure and System-Level Targeting

(March 5–10)

By early March, the conflict moved beyond military objectives and into the systems that sustain state and economic activity.

Energy infrastructure, power grids, logistics hubs, and financial systems became consistent points of pressure. Strikes on refineries and industrial complexes—combined with increasing instability in the Strait of Hormuz—introduced immediate consequences for global energy markets and supply chains.

This phase marked a structural shift. The conflict was no longer defined by territorial or military outcomes alone. It began to affect availability, access, and continuity across critical systems.

Phase 4: Commercial and Private-Sector Targeting

(March 11–13)

The targeting set expanded again—this time explicitly incorporating the private sector.

Iranian-aligned channels began publicly identifying Western technology, cloud, and financial firms as operational targets. In parallel, cyber activity moved deeper into enterprise environments, with disruptions affecting global companies and financial institutions.

At the same time, physical operations reinforced this shift:

  • Commercial shipping was targeted near the Strait of Hormuz
  • Banking operations were disrupted or preemptively shut down
  • Industrial facilities and refineries were forced offline

At this stage, economic pressure was no longer a byproduct of conflict—it had become a deliberate objective.

Phase 5: Hybrid Operations and Distributed Pressure

(Mid–Late March)

As kinetic operations continued, the conflict took on a more distributed and persistent character.

Cyber operations evolved in both scale and intent, expanding from disruption into data destruction, extortion, and psychological operations. Activity linked to groups such as Handala and broader proxy ecosystems demonstrated increasing coordination and willingness to target both regional and international entities.

At the same time, physical targeting patterns shifted toward long-term degradation:

  • Industrial production sites were struck
  • Ports and logistics corridors faced sustained pressure
  • Aviation hubs and transit infrastructure became recurring targets

This phase blurred traditional boundaries. Military, cyber, economic, and information operations were no longer distinct lines of effort—they were operating in parallel against overlapping targets.

A Conflict Without a Single Center of Gravity

By the end of March, the conflict had stabilized into a sustained, multi-domain environment defined by persistence rather than decisive escalation.

Military exchanges continue across multiple fronts, but the broader impact is shaped by pressure on:

  • Energy production and transport
  • Maritime and aviation corridors
  • Financial systems and commercial operations
  • Digital infrastructure and enterprise environments

Rather than converging toward resolution, the conflict has distributed risk across systems that extend well beyond the immediate region.

Phase 6: Economic Warfare Formalized and Maritime Escalation

(Late March – Early April)

By late March and into early April, economic pressure became formalized as a central objective of the conflict.

Maritime activity in and around the Strait of Hormuz shifted from disruption to active enforcement. Threats to commercial shipping intensified, while both state and proxy actors signaled a willingness to restrict or halt transit entirely. At the same time, targeting patterns expanded further into energy infrastructure, including gas production and refining capacity across the Gulf.

These developments introduced a new level of systemic risk. With a significant portion of global seaborne crude tied to the region, even partial disruption began to influence global pricing, supply planning, and downstream operations far beyond the Middle East.

Phase 7: Ceasefire Fracture and Persistent Hybrid Operations

(Early–Mid April)

Attempts at de-escalation introduced a new layer of complexity rather than stability.

While diplomatic efforts produced temporary pauses in kinetic activity, underlying objectives remained unresolved. In some cases, these pauses created space for continued operations in other domains. Cyber activity, in particular, showed no meaningful reduction, with Iranian-aligned groups continuing campaigns targeting infrastructure, government systems, and private-sector entities.

At the same time, friction points, especially in Lebanon, remained active. The exclusion of key actors from ceasefire terms contributed to continued localized escalation, reinforcing the decentralized nature of the conflict.

This period demonstrated that pauses in military activity do not equate to reduced risk across the broader threat landscape.

Phase 8: Direct Economic Targeting and Globalization of Risk

(Mid April and Beyond)

Following the breakdown of ceasefire dynamics, the conflict moved into a phase defined by direct economic targeting and broader international involvement.

US and allied actions began to focus more explicitly on constraining Iran’s financial and energy systems, while Iranian responses expanded to include threats against Western-affiliated commercial entities, academic institutions, and infrastructure beyond the immediate region.

At the same time, indicators of internationalization became more pronounced:

  • External actors providing military and technical support across sides
  • Cyber operations extending into Western and allied networks
  • Increased risk to global supply chains, energy markets, and financial systems

By this stage, the conflict was no longer confined to regional dynamics. It had evolved into a sustained pressure campaign with global economic and operational implications.

The Escalating Cyber and Information Front

From the earliest hours of the conflict, cyber operations have moved in parallel with kinetic activity—sometimes reinforcing it, and at other times extending its reach beyond the physical battlespace.

What has changed over time is not just the volume of activity, but the role cyber operations play within the broader campaign.

Early Phase: Disruption and Narrative Control

In the opening days, cyber activity focused primarily on disruption and influence.

Coordinated campaigns linked to pro-IRGC and pro-Russian-aligned groups targeted government websites, defense contractors, and public-facing services with distributed denial-of-service (DDoS) attacks and defacements. At the same time, information operations began to take shape, including the manipulation of widely used platforms such as the BadeSaba prayer app, where push notifications were leveraged to deliver messaging at scale.

These efforts were designed to create confusion, shape perception, and amplify the impact of concurrent military operations rather than cause lasting operational damage.

Expansion: Coordinated Campaigns and Infrastructure Access

As the conflict expanded regionally, cyber operations became more coordinated and more ambitious in scope.

Campaigns operating under banners such as #OpIsrael brought together loosely affiliated actors targeting infrastructure across Israel, the Gulf, and allied states. Claims during this period included access to industrial control systems, water infrastructure, and surveillance networks. While not all claims were independently verified, the consistency of targeting pointed to a broader intent: probing critical systems while signaling capability.

At the same time, verified activity—particularly from groups such as MuddyWater—demonstrated continued intrusion into aerospace, defense, and financial networks, reinforcing that espionage objectives remained active alongside disruption efforts.

Escalation: Enterprise Targeting and Data Destruction

By mid-March, cyber activity shifted again—this time toward enterprise environments and private-sector targets.

Incidents linked to groups such as Handala reflected a move beyond disruption into destructive operations. Reported activity included large-scale data wiping, exfiltration, and coordinated doxxing campaigns targeting individuals and organizations tied to Israeli or Western interests.

Equally significant was the reported use of “living-off-the-land” techniques, where attackers leveraged legitimate administrative tools within cloud environments to execute destructive actions. This approach reduces reliance on traditional malware and complicates detection, particularly for organizations dependent on signature-based defenses.

At this stage, cyber operations were no longer operating at the edges of the conflict. They were directly targeting the systems organizations rely on to operate.

Persistence Through Ceasefire: Cyber as a Continuous Pressure Mechanism

Subsequent developments demonstrated that cyber activity is not tied to the tempo of kinetic operations.

During periods of diplomatic pause, Iranian-aligned groups continued to operate with little observable reduction in activity. Public statements from groups such as Handala explicitly reinforced this posture, framing cyber operations as independent from military timelines.

At the same time, targeting patterns shifted rather than paused. Activity expanded to include:

  • Western and allied government systems
  • Critical infrastructure, including water and energy sectors
  • Commercial platforms and authentication systems

This reflects a broader strategic advantage: cyber operations allow actors to maintain pressure, test defenses, and shape outcomes without requiring direct military engagement.

Current State: Distributed, Adaptive, and Blended Operations

At present, cyber activity reflects a blend of objectives:

  • Espionage, particularly against defense and government networks
  • Disruption, including DDoS and service degradation
  • Destruction, through data wiping and system compromise
  • Psychological operations, leveraging public platforms and data exposure

These activities are carried out by a mix of state-linked groups, proxy actors, and loosely affiliated hacktivist networks, often operating with overlapping targets and messaging.

The result is a distributed and adaptive threat environment in which attribution is complex, timelines are compressed, and the boundary between state and non-state activity is increasingly blurred.

What This Signals

Cyber operations in this conflict are not a supporting element—they are a persistent layer of pressure that operates alongside and, at times, independently from physical conflict.

For organizations, this introduces a different type of risk:

  • Activity may continue even when kinetic conditions stabilize
  • Targeting may shift quickly across sectors and geographies
  • Detection becomes more difficult as attackers rely on legitimate tools and blended tradecraft

While cyber operations extend the reach of the conflict, the most immediate systemic pressure is emerging through physical and economic chokepoints—particularly in energy production and maritime transit.

Strategic Chokepoints and Systemic Risk

As the conflict expanded, physical targeting patterns converged around a small number of systems that carry disproportionate global impact: energy production, maritime transit, and regional mobility infrastructure.

Energy Infrastructure as a Primary Lever

Energy systems have emerged as one of the most consistently targeted elements of the conflict.

Strikes on refineries, gas facilities, and industrial complexes—combined with explicit threats against major Gulf energy assets—reflect a deliberate effort to constrain production and introduce volatility into global markets. Incidents affecting facilities in Saudi Arabia and the UAE, along with threats tied to Iran’s own production infrastructure, indicate that both sides view energy disruption as a means of exerting strategic pressure.

The scale of exposure is significant. A substantial portion of global seaborne crude transits through the region, and even partial disruption has immediate downstream effects on pricing, supply planning, and industrial operations.

This dynamic introduces a level of sensitivity that extends well beyond the region. Energy is a transmission mechanism for global economic impact.

Maritime Transit and the Strait of Hormuz

The Strait of Hormuz has remained the central chokepoint throughout the conflict.

From the earliest days, threats to shipping were used to signal escalation. Over time, those threats evolved into direct action, including strikes on commercial vessels, increased naval activity, and the positioning of maritime assets capable of restricting transit.

In later stages, this pressure became more formalized, with both state and proxy actors signaling a willingness to enforce constraints on shipping aligned with opposing interests. The result has been sustained disruption to maritime traffic, increased insurance and routing costs, and reduced throughput across one of the world’s most critical energy corridors.

For organizations dependent on global supply chains, the implications are immediate:

  • Longer transit times
  • Higher costs
  • Reduced predictability in delivery schedules

Even without a complete shutdown, sustained pressure on the Strait introduces ongoing friction into global trade flows.

Aviation and Regional Mobility

Airspace and aviation infrastructure have also been repeatedly affected.

Early in the conflict, flight suspensions and airport disruptions were driven by proximity to kinetic activity. As the conflict progressed, aviation hubs themselves became targets. Incidents near major transit centers—particularly in the Gulf—demonstrate both the vulnerability and strategic importance of these nodes.

Aviation serves as a critical connector for personnel movement, logistics, and high-value cargo. Disruption at major hubs does not remain localized; it cascades across international routes, affecting scheduling, capacity, and access.

In combination with maritime constraints, this creates a compounding effect: fewer viable routes, increased congestion elsewhere, and limited flexibility for organizations attempting to move people or goods.

Expansion to Commercial and Financial Systems

Over time, economic pressure extended beyond physical infrastructure into commercial and financial environments.

Public warnings and targeting signals began to include:

  • Banking institutions and financial districts
  • Commercial office locations tied to Western firms
  • Technology and cloud infrastructure hubs

In parallel, operational impacts became visible. Banking services were disrupted or preemptively suspended in parts of the Gulf, while threats against commercial centers introduced new considerations for business continuity and personnel safety.

This expansion reflects a shift in how the conflict defines “infrastructure.” It is no longer limited to energy or transport, as it also includes the systems that enable economic activity itself.

Business and Security Implications

As the conflict has expanded into energy systems, maritime corridors, aviation hubs, and commercial infrastructure, enterprise exposure is no longer limited to organizations with a direct regional footprint.

The targeting patterns observed throughout this conflict indicate that the systems underpinning global operations—logistics, cloud infrastructure, financial services, and workforce mobility—are all within scope.

For organizations, this introduces sustained operational friction rather than isolated disruption. Planning assumptions should shift accordingly.

Personnel and Physical Security

Exposure to physical risk has expanded beyond military installations into commercial environments.

Incidents affecting transit hubs, diplomatic facilities, and Western-linked commercial districts, combined with public warning lists identifying specific office locations in Jordan and the UAE, indicate that personnel operating in previously low-profile environments may now fall within the threat envelope.

This shift requires a more dynamic approach to workforce security.

Organizations should:

  • Reassess travel posture across the UAE, Qatar, Bahrain, Kuwait, and Saudi Arabia
  • Elevate security protocols at offices, hotels, and logistics sites
  • Reinforce operational security practices, including routine variation and reduced visibility of affiliation
  • Monitor diplomatic advisories and local threat reporting in near real time
  • Reevaluate occupancy and travel policies for personnel in named commercial and financial districts

Supply Chain, Energy, and Commercial Operations

Disruption is not limited to physical logistics. It now extends into the broader commercial operating environment.

Pressure on maritime transit through the Strait of Hormuz, combined with strikes on energy infrastructure and disruptions to financial services, creates a layered risk model: goods may not move, payments may not process, and operations may not continue as planned.

Organizations should plan for sustained instability rather than short-term interruption.

Priorities should include:

  • Modeling extended disruption to Gulf shipping routes
  • Identifying alternative logistics pathways, including overland options
  • Stress-testing supplier dependencies tied to energy inputs and regional ports
  • Preparing for price volatility and delivery delays
  • Assessing exposure to regional banking, payment processing, and financial services continuity

Cloud and Technology Infrastructure

The conflict has demonstrated that commercial technology infrastructure is not insulated from physical or cyber spillover.

The reported impact to cloud environments in the Gulf, combined with targeting signals directed at major technology providers, indicates that infrastructure supporting global applications may be exposed to localized disruption.

At the same time, strikes on regional communication and defense systems introduce additional risk to connectivity and resilience.

Organizations should:

  • Validate geographic redundancy for critical workloads
  • Confirm recovery timelines for regionally hosted environments
  • Review third-party dependencies tied to Gulf-based infrastructure
  • Ensure leadership understands cascading risks from localized outages
  • Evaluate exposure tied to physical proximity of offices, data centers, and regional tech hubs

ICS / OT Environments

Operational technology environments face elevated risk due to the convergence of cyber and physical targeting.

Claims involving industrial control systems—paired with demonstrated attacks on energy and logistics infrastructure—suggest that disruption may extend beyond IT systems into physical operations.

Organizations operating ICS/SCADA environments should prioritize resilience over detection alone.

Key actions include:

  • Auditing and restricting remote access pathways
  • Enforcing phishing-resistant MFA for privileged users
  • Segmenting industrial networks from corporate IT environments
  • Validating response plans for destructive or manipulative scenarios
  • Conducting exercises that assume loss of visibility or control

Ongoing Updates

Flashpoint will continue monitoring developments across physical, cyber, and geopolitical domains. Bookmark this page for updates as the situation evolves.

For organizations seeking deeper visibility into emerging threats, proxy activity, infrastructure targeting, and cross-domain escalation indicators, schedule a demo to see Flashpoint’s intelligence platform deliver timely, decision-ready intelligence.

See Flashpoint in Action

The post Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains appeared first on Flashpoint.

Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report

Blogs

Blog

Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report

In this post, we preview the critical findings of the 2026 Global Threat Intelligence Report, highlighting how the collapse of traditional security silos and the rise of autonomous, machine-speed attacks are forcing a total reimagining of modern defense.

SHARE THIS:
Default Author Image
March 11, 2026

The cybersecurity landscape has reached a point of total convergence, where the silos that once separated malware, identity, and infrastructure have collapsed into a single, high-velocity threat engine. Simultaneously, the threat landscape is shifting from human-led attacks to machine-speed operations as a result of agentic AI, which acts as a force multiplier for the modern adversary.

Flashpoint’s 2026 Global Threat Intelligence Report

Flashpoint’s 2026 Global Threat Intelligence Report (GTIR) was developed to anchor security leaders — from threat intelligence and vulnerability management teams to physical security professionals and the CISO’s office — with the data required to navigate this year’s greatest threats, rife with infostealers, vulnerabilities, ransomware, and malicious insiders.

Our report uncovers several staggering metrics that illustrate the industrialization of modern cybercrime:

  • AI-related illicit activity skyrocketed by 1,500% in a single month at the end of 2025.
  • 3.3 billion compromised credentials and cloud tokens have turned identity into the primary exploit vector.
  • From January 2025 to December 2025, ransomware incidents rose by 53%, as attackers pivot from technical encryption to “pure-play” identity extortion.
  • Vulnerability disclosures surged by 12% from January 2025 to December 2025, with the window between discovery and mass exploitation effectively vanishing.

These findings are derived from Flashpoint’s Primary Source Collection (PSC), a specialized operating model that collects intelligence directly from original sources, driven by an organization’s unique Priority Intelligence Requirements (PIR). The 2026 Global Threat Intelligence Report leverages this ground-truth data to provide a strategic framework for the year ahead. Download to gain:

  1. A Clear Understanding of the New Convergence Between Identity and AI
    Discover how threat actors are preparing to transition from generative tools to sophisticated agentic frameworks. Learn how 3.3 billion compromised credentials are being weaponized via automated orchestration to bypass legacy defenses and exploit the connective tissue of modern corporate APIs.
  2. Intelligence on the “Franchise Model” of Global Extortion
    Gain deep insight into the professionalized operations of today’s most prolific threat actors. From the industrial efficiency of RaaS groups like RansomHub and Clop to the market dominance of the next generation of infostealer malware, we break down the economics driving today’s cybercrime ecosystem.
  3. A Blueprint for Proactive Defense and Risk Mitigation
    Leverage the latest trends, in-depth analysis, and data-driven insights driven by Primary Source Collection to bolster your security posture by identifying and proactively defending against rising attack vectors.

As attackers automate exploitation of identity, vulnerabilities, and ransomware, defenders who rely on fragmented visibility will fall behind. To keep pace, organizations must ground their decisions in primary-source intelligence that is drawn from adversarial environments, so that decision-makers can get ahead of this accelerating threat cycle.”

Josh Lefkowitz, CEO & Co-Founder at Flashpoint

The Top Threats at a Glance

Our latest report identifies four driving themes shaping the 2026 threat landscape:

2026 Is the Era of Agentic-Based Cyberattacks

Flashpoint identified a 1,500% rise in AI-related illicit discussions between November and December 2025, signaling a rapid transition from criminal curiosity to the active development of malicious frameworks. Built on data pulled from criminal environments and shaped by fraud use cases, these systems scrape data, adjust messaging for specific targets, rotate infrastructure, and learn from failed attempts without the need for constant human involvement.

2026 is the era of agentic-based cyberattacks. We’ve seen a 1,500% increase in AI-related illicit discussions in a single month, signaling increased interest in developing malicious frameworks. The discussions evolve into vibe-coded, AI-supported phishing lures, malware, and cybercrime venues. When iteration becomes cheap through automation, attackers can afford to fail repeatedly until they find a successful foothold.

Ian Gray, Vice President of Cyber Threat Intelligence Operations at Flashpoint

Identity Is the New Exploit

Flashpoint observed over 11.1 million machines infected with infostealers in 2025, fueling a massive inventory of 3.3 billion stolen credentials and cloud tokens. The fundamental mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to behave like legitimate users.

The Patching Window Is Rapidly Closing

Vulnerability disclosures surged by 12% in 2025, with 1 in 3 (33%) vulnerabilities having publicly available exploit code. The strategic gap between discovery and weaponization is increasingly vanishing, as evidenced by mass exploitation of zero-day vulnerabilities in as little as 24 hours after discovery.

Ransomware Is Hacking the Person, Not the Code

As technical defenses against encryption harden, ransomware groups are pivoting to the path of least resistance: human trust. This approach has led to a 53% increase in ransomware, with RaaS groups being responsible for over 87% of all ransomware attacks.

Build Resilience in a Converged Landscape

The findings in the 2026 Global Threat Intelligence Report make one thing clear: incremental improvements to legacy security models are no longer sufficient. As adversaries transition to machine-speed operations, the strategic advantage shifts to organizations that can maintain visibility into the adversarial environments where these attacks are born.

Protecting organizations and communities requires an intelligence-first approach. Download Flashpoint’s 2026 Global Threat Intelligence Report to gain clarity and the data-driven insights needed to safeguard critical assets.

Get Your Copy

The post Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report appeared first on Flashpoint.

Defending the gates: How a global coalition disrupted Tycoon 2FA, a major driver of initial access and large-scale online impersonation

4 March 2026 at 17:00

One email was all it took. An employee clicked what looked like a routine signin request. Behind the scenes, attackers swiped credentials, slipped past security controls, impersonated a trusted user, and gained access to critical systems. In other cases, similar intrusions delayed paychecks, rerouted invoices, stole sensitive data, locked up entire networks, interrupted patient care, and strained already tight budgets at schools and critical services. 

Those attacks were powered by Tycoon 2FA. Today, Microsoft, Europol, and industry partners announced a coordinated action to disrupt the service responsible for tens of millions of fraudulent emails reaching over 500,000 organizations each month worldwide. 

Disrupting a global phishing operation 

Active since at least 2023, Tycoon 2FA enabled thousands of cybercriminals to impersonate real users and gain unauthorized access to email and online service accounts, including Microsoft 365, Outlook, and Gmail. Unlike traditional phishing kits, Tycoon 2FA was designed to defeat additional security protections, including multifactor authentication, allowing cybercriminals to log in as legitimate users without triggering alerts, even on protected accounts. 

Acting under a court order from the U.S. District Court for the Southern District of New York, and for the first time in coordination with Europol’s Cyber Intelligence Extension Programme (CIEP), Microsoft seized 330 active domains that powered Tycoon 2FA’s core infrastructure, including control panels and fraudulent login pages. The CIEP framework brought public and privatesector partners together to move from simply sharing intelligence to coordinated, crossborder action, accelerating disruption and limiting further harm. 

Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect people and organizations from followon attacks such as data theft, ransomware, business email compromise, and financial fraud. 

The scale and realworld impact of Tycoon 2FA 

By mid2025, Tycoon 2FA accounted for approximately 62 percent of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. That placed Tycoon 2FA among the largest phishing operations globally.  

Despite extensive defenses, the service is linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers.  

Healthcare and education organizations were hit hardest. More than 100 members of HealthISAC, a global threat-sharing group for the health sector and a co-plaintiff in this case, were successfully phished. In New York alone, at least two hospitals, six municipal schools, and three universities faced attempted or successful compromise through Tycoon 2FA. These incidents had tangible consequences: disrupted operations, diverted resources, and delayed patient care.  

Why Tycoon 2FA was so dangerous 

Tycoon 2FA combined convincing phishing templates, realistic landing pages, and realtime capture of credentials and authentication codes into an easytouse package that scaled quickly. By lowering the technical barrier to entry, it allowed criminals with limited expertise to run sophisticated impersonation campaigns. 

With each successful phishing victim, attackers could operate with the same level of trust as legitimate users moving laterally across systems, accessing sensitive data, and abusing signon connections without raising alarms. Research from Microsoft Threat Intelligence provides more details on how Tycoon 2FA operated. 

Dark‑themed admin dashboard showing security and login activity. At the top are summary cards for Total Visits (5), Valid (4), Invalid (2), and SSO (0). The center includes a donut chart comparing valid, invalid, and SSO logins, a bar chart of login websites with Microsoft highlighted, and a world map labeled “Visitors by Country.” Below, a table lists valid accounts with columns for email, website, browser, IP, country, 2FA status, and date, with action buttons such as “Copy Zip Pass” and “Download.”
The Tycoon 2FA customer dashboard.

This shift reflects a broader trend in cybercrime: identity, not infrastructure, has become the primary target. A single compromised account can now unlock banking systems, healthcare portals, workplace applications, and social media accounts. 

Inside the impersonation economy

Tycoon 2FA operated like a business within the broader impersonationforhire ecosystem. The primary developer, Saad Fridi, who is believed to be based in Pakistan, worked alongside partners responsible for marketing, payments, and technical support. 

Cybercriminals typically used Tycoon 2FA alongside other illicit services. While Tycoon 2FA captured credentials and session tokens, other services handled mass email delivery, malware distribution, hosting, and access monetization. For example, RedVDS, disrupted by Microsoft in January 2026, provided inexpensive virtual computers, which cybercriminals paired with Tycoon 2FA to deliver phishing campaigns. Together, these different services created an interconnected ecosystem for identitybased attacks. Disrupting one component can have cascading effects across the cybercrime economy. 

Sustained pressure reshapes the market 

Over the past 18 months, Microsoft’s Digital Crimes Unit has targeted multiple services that enable impersonation and initial access, including extensive disruption operations of Lumma StealerRaccoonO365Fake ONNX (aka “Caffeine”), and RedVDS. 

When widely used tools are disrupted, attackers are forced to adapt, often shifting to alternatives like Tycoon 2FA. This substitution pattern shows how sustained pressure prevents any single service from remaining dominant while steadily raising the cost and risk of cybercrime. 

These efforts have led to arrests in Egypt and Nigeria, complete service shutdowns, infrastructure loss, and reputational damage for operators beyond lawenforcement reach. RedVDS alone lost more than 95 percent of its infrastructure since January 2026, significantly degrading its ability to support mass impersonation campaigns and other online scams. 

As pressure increased, many operators tightened access controls, retreated into closed channels, or shut down entirely to avoid legal action. In Tycoon 2FA’s case, Microsoft could not purchase access to the service; the operator rejected attempts by our investigators, requiring a trusted intermediary. In fact, Tycoon 2FA’s operator and the nowarrested developer of RaccoonO365 communicated with one another, highlighting the ecosystem’s interdependence and how disruptions in one area influence activity elsewhere. 

Screenshot of a dark‑mode chat conversation interface. Multiple message bubbles discuss “2FA/MFA” services, with usernames such as “Raccoon0365,” “ItsPump,” and others visible. Messages reference choosing or not choosing a provider, friendship between groups, and competition between services. Timestamps appear next to messages, and emoji reactions are included.
Correspondence suggesting interactions between the operators of RaccoonO365 and Tycoon 2FA.

Global threats require global action 

Cybercrime operates across borders, and effective response must do the same. Disrupting Tycoon 2FA spanned multiple jurisdictions, underscoring why sustained, coordinated pressure is essential, especially as cybercrime becomes more scalable through automation and AI. 

Microsoft Threat Intelligence, joining many security researchers, identified Tycoon 2FA as one of the most significant threats to identity-based attacks. Microsoft’s Digital Crimes Unit consulted with Europol, which also tracked the actor based on intelligence supplied by TrendAI. Through the CIEP, Europol convened partners to take action. Microsoft worked with industry partners to pursue a coordinated infrastructure disruption, while law enforcement authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom conducted seizures of infrastructure and carried out other operational measures linked to Tycoon 2FA. 

Industry partners, including ProofpointIntel 471, and eSentire, expanded visibility through telemetry, threat intelligence, and criminalforum insight. Cloudflare assisted by taking down infrastructure outside U.S. jurisdiction, while HealthISAC quantified impacts on healthcare organizations. SpyCloud contributed key victimology data, Resecurity facilitated access to Tycoon 2FA, and Coinbase helped trace the movement of stolen funds. Finally, the Shadowserver Foundation supported notifications to more than 200 computer emergency response teams worldwide, helping limit further harm. 

No single organization could have assembled this full picture alone.

Splash page appearing on seized domains.

Sustaining pressure, together 

Stopping identitybased cybercrime requires action across individuals, organizations, and governments. Multifactor authentication, scrutiny of unexpected messages, strong session controls, and coordinated threatsharing all reduce risk. Early enforcement matters tooit prevents small intrusions from escalating into systemic harm. Microsoft will continue applying the lessons learned from Tycoon 2FA and prior disruptions to fragment the impersonation economy, limit scale, and make cybercrime riskier and less profitable. 

The post Defending the gates: How a global coalition disrupted Tycoon 2FA, a major driver of initial access and large-scale online impersonation appeared first on Microsoft On the Issues.

Building an AI-Ready America: Teaching in the AI age

On Tuesday, February 23rd, Microsoft Senior Director of Education and Workforce Policy Allyson Knox testified before the House Education & Workforce Subcommittee on Early Childhood, Elementary, and Secondary Education. To view the proceedings, visit the committee’s website.

STATEMENT OF ALLYSON KNOX

SENIOR DIRECTOR OF EDUCATION AND WORKFORCE POLICY

MICROSOFT CORPORATION

BEFORE THE

EDUCATION AND WORKFORCE COMMITTEE

SUBCOMMITTEE ON EARLY CHILDHOOD, ELEMENTARY, AND SECONDARY EDUCATION

UNITED STATES HOUSE OF REPRESENTATIVES

“BUILDING AN AI-READY AMERICA: TEACHING IN THE AI AGE”

TUESDAY, FEBRUARY 24, 2026

WASHINGTON, D.C.

Good afternoon and thank you, Chairman Kiley, Ranking Member Bonamici, Members of the Subcommittee for inviting me to testify today. My name is Allyson Knox. I am Senior Director of Education and Workforce Policy at Microsoft, and I am pleased to have this opportunity to discuss issues related to artificial intelligence and its impact on teachers.

Today, I will share insights we have gathered from teachers about their experiences, challenges, and needs as they integrate AI in education; outline the steps Microsoft and other organizations are taking to facilitate this transition; and recommend legislative approaches to help policymakers strengthen these efforts. These legislative approaches include supporting professional development for teachers; encouraging public-private partnerships; promoting AI literacy; providing guidance on responsible AI use; and supporting innovation.

I would like to begin by quoting from Microsoft’s vice-chair and president, Brad Smith, in his recent foreword to Degrees of Change: What AI Means for Education and the Next Generation[i]:

“Generative AI has become the fastest-spreading technology in human history, adopted at a pace that even the most seasoned technologists could scarcely imagine. This speed is breathtaking, but it also compels us to pause and ask, “Are we ready for what comes next?” AI’s promise is extraordinary. It can help solve problems that have challenged humanity for decades—improving health outcomes, advancing education, and unlocking new opportunities for economic growth. But, like every transformative technology before it, AI brings new questions and new responsibilities.”

This thought-provoking quote is apt for today’s conversation on how AI is impacting teachers. The speed of AI adoption in our nation’s schools and classrooms is indeed breathtaking. Just three years ago, AI had barely made a mark in education. However, our 2025 Study on AI in Education found that 80% of U.S. K-12 teachers have used AI in their roles or for school-related purposes at least once or twice and one-fifth report daily use of AI. Additionally, 58% of K-12 teachers think AI usage at their school/district will increase in the next year.[ii]

What we are hearing from teachers on the impact of AI:

The breadth of adoption has been profound. We have heard directly from teachers who are using AI to streamline lesson planning, curriculum development, and personalize student learning in ways that were unimaginable a few years ago.[iii] AI is also reducing the time it takes to carry out administrative tasks, allowing more time for teachers to focus on their students.

Despite these benefits, we know teachers face challenges when it comes to AI in the classroom. We found roughly one in three teachers lack confidence in using AI effectively and responsibly. Many teachers also express concerns about how AI can exacerbate cheating and are worried about issues such as data privacy and student safety.

Teachers know AI is here to stay, and based upon countless surveys, forums, and focus groups, teachers are ready to tackle these challenges and ask for support in three main areas:

  1. AI literacy – Teachers want the skills, knowledge, and support to build AI literacy and critical thinking in their students;
  2. AI guardrails – Teachers want students to use AI responsibly and safely; and
  3. AI tools – Teachers want classroom-ready AI tools and opportunities to provide feedback that improve them.

I’m excited to share a few ways Microsoft, along with many of our partners, are committed to providing teachers with the support they are requesting.

1.AI literacy – Teachers want the skills, knowledge, and support to build AI literacy and critical thinking in their students

At the core of this support is listening to and learning from teachers and understanding what they want and need to become AI literate themselves and teach AI literacy to their students. These conversations have resulted in exciting initiatives, including the recent launch of the Microsoft Elevate for teachers program, part of the company’s broader commitment[iii] to help schools and educators build skills, expand opportunities, and ensure everyone benefits from AI.

Microsoft Elevate for Educators

The Microsoft Elevate for Educators program equips educators and school leaders with access to one of the world’s largest and most connected peer educator networks and offers free professional development resources. It will provide free access to a new industry-recognized credential for educators, developed in partnership with one of the leading national nonprofit focused on technology and innovation (ISTE+ASCD).[vi] This partnership is aligned to the AI Literacy Framework, which is intended to help educators gain confidence and expertise in integrating AI into their teaching and learning. As part of this work, we also support ISTE+ASCD in advancing AI in teacher preparation programs.

National Academy for AI Instruction

Along with OpenAI and Anthropic, we are supporting the National Academy for AI Instruction, through a partnership with the American Federation of Teachers and the United Federation of Teachers. The Academy describes itself as a national training hub designed by educators – shaping the future of AI in public education, grounded in safety and people-first technology, and improving student learning. From everything we have heard from teachers, this is exactly the type of support they need to promote AI literacy. The Academy also focuses on building critical thinking skills for students and educators.

Rob Weil, who heads up the Academy, recently shared an update on their work with me. He noted through direct engagement with teachers, they listen to what the primary concerns teachers have around using AI in the classroom are, and then work with them to design trainings that are directly responsive to their concerns and meet them where they are – including using whatever technology they are already using in their classroom.

Their goal is to train 400,000 teachers over the next 5 years. The Academy is centered around a “train the trainer” model, building capacity to provide AI literacy to teachers at scale – providing the potential of millions of teachers to benefit from this initiative. Weil noted that interest and participation in the Academy has been taking off, largely due to word of mouth. This month, 1,000 teachers showed up for a virtual session, and another in-person session was overprescribed had to turn away a hundred interested teachers.

Why the interest? Teachers want to learn from their peers and trusted partners; they also want to ensure they are using AI effectively and safely. Weil explained that one of the most popular aspects of the training is centered around the Academy’s Commonsense Guardrails for Using Advanced Technology in Schools,[v] which helps empower teachers to address the challenges they are facing in implementing AI. Some teachers describe AI as the wild-wild west, and this guide has helped provide a roadmap for understanding how to navigate bringing this technology into the classroom.

The trainings also provide real-world, hands-on experiences with using technology which teachers themselves are bringing to the table. At the trainings, teachers are asked what they could use the most help with and then have time to experiment with different tools to do things like start a draft of a lesson plan or an outline for a rubric – allowing them more time and flexibility to incorporate their expertise. In addition, the Academy creates opportunities for educators to influence the development of AI for schools.

Support for Special Education Teachers

We also recognize the potential that AI holds to support students with disabilities – and the need to ensure special education teachers have the support and resources to fully unlock this technology.

Recently, we launched a course to support educators in exploring how Microsoft AI tools can be thoughtfully used in special education environments to reduce administrative demands, strengthen accessibility, and support clear communication with families. Throughout the learning path, responsible use of AI, privacy, and transparency are emphasized so educators can determine when and how AI fits into their practice in ways that align with student needs and professional values.

After our engagements, we tailored our trainings to special education teachers by incorporating their direct feedback. Key topics included privacy with sensitive medical information and using AI to assist parents and caregivers in IEP meetings. We emphasized clear communication, parental inclusion, and ensuring parents understand the meeting’s goals and how best to support their children.

Finally, special education involves a collaborative team beyond just teachers, and we’ve revised our approach to address the needs of occupational therapists, physical therapists, and all other members involved in special education.

Support for Teachers in Rural America

We have found there’s a significant gap in daily AI usage by urban teachers versus their rural and suburban counterparts (39% vs. 24%).[iv] This gap underscores why ensuring AI tools, resources, and professional development are attuned to the needs of rural teachers is critical.

For the last five years, we’ve been working with the National Future Farmers of America (FFA) and agricultural science teachers to develop FarmBeats for Students and ensure it is responsive to agricultural science teachers’ needs. We engaged in an iterative process with them – collaboratively designing and building curriculum and training with agricultural science teachers from the very beginning of development.

FarmBeats for Students brings AI to agricultural education through a hands-on educational program that brings precision agriculture directly into the classroom. The program consists of an affordable hardware kit and a free curriculum aligned with rigorous educational standards. Activities give students direct experience with topics like digital sensors, data analysis, and AI.

We brought FarmBeats for Students to the National FFA convention and held a series of workshops with teachers across the country. They experimented with the kits and provided input to ensure this technology was directly responsive to what they wanted to see in the classroom.

In addition to our partnership with the National FFA, Microsoft helps meet the needs of rural teachers by deploying the online content referenced above through Elevate, as well as supporting community-based organizations that help facilitate activities and events which promote AI literacy in rural communities.

AI Literacy Frameworks, Standards, and Guidance

Teachers want frameworks that help them integrate AI into their classrooms. We are pleased there is bipartisan interest in establishing strong frameworks around AI and education, especially highlighting the need for widespread AI literacy. Microsoft has provided support, guidance, and input to organizations and initiatives such as Code.org and TeachAI who work to develop and promote frameworks, guidance, and standards.

Microsoft encourages state and local policymakers to review and leverage these resources as they incorporate AI in education:

  • The TeachAI Foundational Policies[vii]: This resource, endorsed by dozens of policy organizations and associations, provides practical guidance for national, state, and local leaders to harness AI’s benefits in teaching and learning while mitigating risks. The policies focus on five priorities—fostering leadership, promoting AI literacy, providing clear guidance, building educator capacity, and supporting responsible innovation—to ensure AI strengthens education systems and prepares learners for an AI‑enabled workforce.
  • The TeachAI AI Guidance for Schools Toolkit[viii]: The Toolkit helps education authorities, school leaders, and educators develop clear, responsible guidance for using AI in K–12 education, balancing potential benefits with risks such as privacy, bias, and academic integrity. It provides a practical framework, principles, sample policies, and communication templates to support safe and human‑centered AI adoption across school systems. The Toolkit has been used by the majority of states in constructing guidance for schools.
  • The AI Literacy Framework[ix]: The AI Literacy Framework defines the knowledge, skills, and attitudes students and educators need to understand, use, and critically evaluate AI in education. It is organized around four core domains—Engaging with AI, Creating with AI, Managing AI, and Designing AI—and emphasizes critical thinking, ethics, and human judgment alongside technical understanding. It also emphasizes the foundational computer science concepts that prepare students to not just use AI but understand how AI works and its societal impacts. The framework is designed to be interdisciplinary, practical, and durable, helping schools integrate AI literacy into curriculum, professional learning, and policy in age‑appropriate ways.

2.AI guardrails – Teachers want students to use AI responsibly and safely

We have heard from teachers that one of the greatest hesitations they have with AI is around safety for students. This includes ensuring AI tools used in the classroom protect student privacy, don’t collect their information, and are safe from a mental health perspective.

Some of the strategies teachers use to promote safety are a significant focus in the professional development referenced earlier. In addition, the frameworks include key components to help teachers understand responsible AI use.

Microsoft takes our responsibility as a developer and deployer of AI technology very seriously. Paramount to deploying this technology in classrooms is ensuring it is responsible. Microsoft has identified six principles that we believe should guide AI development and use.

  • Fairness: AI systems should treat all people fairly.
  • Reliability and Safety: AI systems should perform reliably and safely.
  • Privacy and Security: AI systems should be secure and respect privacy.
  • Inclusiveness: AI systems should empower everyone and engage all people.
  • Transparency: AI systems should be understandable.
  • Accountability: People should be accountable for AI systems.

These principles are the foundation for other tools and resources we share with teachers to provide guidelines for them to deploy AI in the classroom.

As another example of our commitment to safety, earlier this month, on Safer Internet Day, we launched our new Microsoft Education Security Toolkit,[x] which provides educators and IT teams with practical guidance tailored to the realities of modern education.

3. AI tools Teachers want classroom-ready AI tools and opportunities to provide feedback that improve them

Teachers often lack the right AI tools tailored to their needs for boosting student achievement. It’s essential to develop AI solutions based on teacher input rather than just delivering generic options. Microsoft strives to meet this responsibility by designing tools and partnerships that address educators’ needs. We believe this approach creates a critical feedback loop that will allow us to constantly evolve our tools to maximize their benefit in the classroom over time.

In fact, at Microsoft, our engineering teams collaborate closely with educators and students to advance the development of AI tools for classroom use. We partner with teacher organizations and directly engage with the disability community to better understand instructional requirements and design technology that enhance student learning outcomes.  Some examples include:

Reading Progress

One of the tools we offer to teachers is called Reading Progress, which helps teachers analyze students’ fluency and generates reading passages and comprehension questions.

From the beginning of development, we worked with individual teachers through our Educator Insiders program and with entire schools or districts through our Technology Adoption Preview, where educators test prototypes of our products and provide feedback.

For example, teachers asked for a tool that could generate tailored passages to meet the needs of their students. We incorporated that feedback and now, teachers can get as specific as saying they want a passage generated about sports that is for a third-grade reading level and includes specific words their class is learning.

Teachers also told us they wanted reading comprehension questions generated faster and better. With AI, it’s easy to do this in a high-quality way.

Teachers report increased comprehension, higher reading fluency, and higher scores, especially for struggling or reluctant readers.

Teach for America (TFA)

Microsoft has been a proud supporter of TFA’s efforts to improve the education system and expand opportunities for children across the U.S. It has been great to see all of the ways in which TFA has worked to equip their teachers with AI fluency in order to help them integrate this technology into the classroom.

TFA recently completed a cloud migration to Microsoft Azure, unlocking countless avenues to improve program design and delivery, direct the most possible funds toward its mission to ensure all kids have access to an excellent education, and evolve to offer the best learning options inside and outside the classroom.

Where do we go from here

What is both exciting and daunting about AI is that while we can take lessons learned from previous technological transformations in the classroom, much of the book has not been written on AI adoption. Meaning tech companies, teachers, government, and other stakeholders have the opportunity to shape where AI goes in education and beyond.

I want to conclude my remarks today with policy recommendations for the Committee to consider:

  • Support professional development for teachers to effectively teach about AI and responsibly integrate AI tools in the classroom.
    • At the Federal level, this means providing priorities for competitive grant programs, such as those recently proposed by the U.S. Department of Education.
  • Encourage public-private partnerships.
    • Incentivize and prioritize Federal funds and grants that support partnerships between technology companies and educational programs, including apprenticeship and credentialed organizations, to develop up to-date AI curriculum.
  • Promote AI literacy across the U.S.
    • Integrate AI skills and concepts, including their foundational principles, social impacts, and ethical concerns, into existing curriculum and instruction.
  • Provide guidance.
    • Equip schools with guidance on the safe, effective, and responsible use of AI, including considerations related to student privacy, data security, accessibility, transparency, and appropriate human oversight.
  • Invest in innovation.
    • Support research and evaluation to better understand the impacts of AI in education, including its effects on teaching and learning and student outcomes, and to identify effective, scalable practices that mitigate the digital divide.

 

[i] Smith, Brad. “Foreword.” Degrees of Change: What AI Means for Education and the Next Generation, by Juan M. Lavista Ferres, John Wiley & Sons, 2026.
[ii] See Microsoft 2025 AI in Education Survey Details, August 2025
[iii] See Microsoft 2025 AI in Education Survey Details, August 2025
[iv] See Microsoft Elevate: Putting people first, July 2025
[v] See Commonsense Guardrails for Using Advanced Technology in Schools, March 2025
[vi] See Microsoft 2025 AI in Education Survey Details, August 2025
[vii] See TeachAI Foundational Policies
[viii] See TeachAI AI Guidance for Schools Toolkit
[ix] See AI Literacy Framework
[x] See Microsoft Education Security Toolkit, February 2026

[1] ISTE (International Society for Technology in Education) + ASCD (Association for Supervision and Curriculum Development)

 

The post Building an AI-Ready America: Teaching in the AI age appeared first on Microsoft On the Issues.

❌