Blogs

Blog

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

This post tracks the convergence of kinetic warfare, psychological operations, and cyber activity as the conflict expands across the Middle East and beyond.

SHARE THIS:

Flashpoint Intel Team

March 11, 2026

Table Of Contents

Table of Contents

Timeline: March 2026 Conflict Updates

The Escalating Cyber and Information Front

Strategic Chokepoints and Systemic Risk

Business and Security Implications

What to Expect Next (48–72 Hours)

Ongoing Updates

More

subscribe to our newsletter

On February 28, the United States and Israel launched coordinated strikes across Iran under Operation Epic Fury (also referenced in reporting as Operation Lion’s Roar). The opening phase focused on decapitating senior Iranian leadership while degrading missile infrastructure, launch systems, and air defenses. In the hours that followed, Iran initiated large-scale retaliation — expanding the conflict beyond Iranian territory and into a region-wide exchange that touched multiple Gulf states and allied military assets.

Since those initial strikes, the conflict has rapidly widened and accelerated. What began as a concentrated campaign against leadership and missile capabilities has developed into a sustained regional war with an expanding set of targets, including economic and logistical infrastructure. Simultaneously, cyber operations and psychological messaging have been used alongside kinetic action, creating a hybrid operating environment in which disruption is shaped as much by information control and infrastructure compromise as it is by missiles and airstrikes.

Flashpoint analysts are tracking the conflict across physical, cyber, and geopolitical domains. The timeline and sections below summarize key developments and risk indicators observed from February 28 through March 10.

Operation Epic Fury Timeline: March 2026 Conflict Updates

February 28, 2026 — Initial Strikes and Regional Retaliation

Feb 28

07:00 UTC

US and Israeli forces launch coordinated operations targeting Iranian missile sites and strategic infrastructure.

07:30 UTC

Strike reported on Supreme Leader Ali Khamenei’s compound/office in Tehran; subsequent updates describe his death as confirmed.

08:04 UTC

Missile strike hits a girls’ school in Minab; reports indicate significant civilian casualties.

13:30 UTC

Iran retaliates with reported strikes against Jebel Ali port (Dubai) and Camp Arifjan (Kuwait).

15:00 UTC

Ballistic missiles target Al Udeid (Qatar) and Ali Al Salem (Kuwait) air bases.

17:40 UTC

A Shahed-136 drone hits a radar installation at the US Naval Support Activity in Bahrain (5th Fleet-associated).

20:00 UTC

Iran launches a wave of missiles toward Israel (reported as ~125).

In parallel to these events, Flashpoint observed immediate system-level disruption: flight suspensions at Dubai airports following nearby strikes, and Iran’s move to blockade the Strait of Hormuz, elevating global energy and logistics risk.

March 1, 2026 — Air War Over Tehran, Soft Targets, and Hybrid Expansion

By March 1, the conflict had shifted from stand-off strikes to direct air operations over Tehran, signaling degradation of Iran’s integrated air defenses over the capital. Iranian state media described a transition to “offensive defense,” and retaliatory activity expanded across the region.

Notable developments included the reported strike on the Crowne Plaza Hotel in Manama, Bahrain, signaling increased risk to soft targets and commercial environments. Flashpoint also observed indicators of command-and-control friction on the Iranian side, including a reported friendly-fire incident involving the sanctioned “shadow fleet” tanker Skylight.

Mar 1

01:30 UTC

Press TV announces a massive retaliatory wave against US and Israeli bases.

04:45 UTC

A massive explosion rocks Erbil, Iraq, near US and coalition facilities.

05:30 UTC

Israeli Defense Minister Israel Katz confirms IAF jets are now dropping heavy munitions directly over Tehran.

06:15 UTC

The “shadow fleet” tanker Skylight (previously sanctioned by the US) is struck by an Iranian missile in a friendly-fire incident.

07:00 UTC

An Iranian projectile strikes the Crowne Plaza Hotel in Manama, Bahrain, causing multiple civilian casualties.

09:00 UTC

IDF confirms the mobilization of 100,000 reservists to defend against Iran and its regional proxies.

11:30 UTC

Heavy, continuous IAF bombardment of IRGC command-and-control sites in Tehran is reported.

13:15 UTC

An Iranian Shahed drone successfully hits the American Ali Al Salem Air Base in Kuwait.

15:00 UTC

UK Prime Minister Keir Starmer announces the deployment of experienced Ukrainian counter-UAS operators to the Gulf.

18:30 UTC

IDF confirms Hezbollah has begun firing missiles from Lebanon, opening a major new front in the north.

20:00 UTC

IRGC claims waves 7 and 8 of “Operation True Promise 4” are underway, declaring the Ali Al Salem base “completely disabled”.

March 2, 2026 — Infrastructure and Economic Warfare Escalation

Mar 2

Early AM

Iranian Shahed-136 drones strike Saudi Aramco’s Ras Tanura facility.

AM

AWS confirms its UAE data center was impacted by physical attacks, resulting in significant service disruptions.

12:35 UTC

n unmanned drone strikes the runway of the UK’s RAF Akrotiri base in Cyprus.

~17:00 UTC

IDF issues evacuation warnings for Tehran’s Evin district and Southern Beirut.

21:00 UTC

CENTCOM confirms six US service members killed in action (updated figure).

PM

Israeli airstrikes destroy Iran’s national broadcasting headquarters (IRIB) and the Assembly of Experts’ building in Tehran.

Late PM

US forces confirm Iran’s naval capability in the Gulf of Oman has been neutralized (reported sinking of all 11 previously active warships).

March 3, 2026 — Expansion of Infrastructure Warfare and Regional Combat

Mar 3

Early AM

IAF strikes the Iranian Regime’s Leadership Compound, dismantling a heavily secured leadership site.

AM

An Iranian drone attack sets the US Consulate in Dubai on fire; France deploys Rafale jets to protect military bases in the UAE.

~13:00 UTC

An airstrike hits the Defense Ministry’s Iran Electronics Industries facility in Isfahan.

PM

US and Israeli forces destroy Mehrabad Airport in Tehran to prevent regime officials from fleeing.

18:00 UTC

A Farsi-language numbers station appears on 7910 kHz radio frequencies, believed to be transmitting coded instructions to sleeper cells.

PM

The White House releases the full objectives of Operation Epic Fury, defining it as a major combat operation focused on destroying Iran’s missile and naval forces.

Late PM

A GBU-31 bunker-buster strike destroys an IRGC-linked site in Urmia.

March 5, 2026 — Offensive Defense and Geographic Expansion

Mar 5

04:00 UTC

Iranian attack drones strike Nakhchivan International Airport in Azerbaijan, causing explosions near civilian infrastructure.

06:30 UTC

Azerbaijan’s Ministry of Defence places its military on highest alert and prepares potential retaliatory measures.

09:15 UTC

A complex missile and drone attack triggers a major fire at Ali Al Salem Air Base in Kuwait.

11:45 UTC

The Israeli Air Force conducts large-scale strikes against roughly 200 targets in western and central Iran, focusing on ballistic missile launch systems.

18:00 UTC

Iraq’s national power grid reportedly collapses, resulting in a nationwide.

March 6, 2026 — Regime Fragmentation and Strategic Targeting

Mar 6

AM

Approximately 50 Israeli aircraft drop more than 100 bombs on an underground bunker within Tehran’s leadership compound, reportedly eliminating remaining senior regime figures.

AM

US forces destroy a hidden Iranian ballistic missile factory located inside Tehran.

Mid-Day

Israeli Air Force eliminates Hossein Taeb, former head of the IRGC Intelligence Organization, in a targeted strike on his residence.

PM

Azerbaijan begins moving artillery and military equipment toward the Iranian border while evacuating diplomatic personnel from Tehran and Tabriz.

Active

Mehrabad International Airport remains under heavy combined US–Israeli bombardment as strikes continue against remaining regime infrastructure.

Late PM

US leadership issues a public demand for Iran’s “unconditional surrender,” rejecting negotiated settlement proposals.

March 8–9, 2026 — Leadership Consolidation and Hybrid Warfare Expansion

Mar 8

Mar 8

Mojtaba Khamenei is officially appointed Supreme Leader following the death of Ayatollah Ali Khamenei.

Mar 8

Israeli forces kill Abolghasem Babaeian, newly appointed military secretary to the Supreme Leader, in a rapid-response airstrike in Tehran.

22:46 UTC

Hacktivist group Cyber Islamic Resistance claims defacement of the Kurdish Peshmerga special forces website (unverified).

23:23 UTC

Cyber Islamic Resistance claims control of a Saudi medical care application website (unverified).

Mar 9

Mar 9

Bahraini desalination and oil infrastructure is struck, causing injuries and triggering a declaration of force majeure.

Mar 9

Grand Ayatollah Sistani issues a fatwa declaring a “collective religious obligation” for communal defense.

11:12 UTC

Pro-Russian hacktivist group NoName057(16) claims DDoS attacks against Israeli political parties and defense contractor Elbit Systems.

15:26 UTC

Reporting confirms the Iranian MOIS-linked group MuddyWater has infiltrated US aerospace and defense networks.

16:06 UTC

Iran’s nationwide internet blackout enters its sixth day.

March 10, 2026 — Decentralized Retaliation and Economic Pressure

Mar 10

13:35 UTC

Multiple reports indicate that major Iranian banks, including Bank Melli Iran and Bank Sepah, are unable to provide services following suspected cyberattacks.

15:20 UTC

A drone strike hits the Ruwais industrial complex in Abu Dhabi, forcing the shutdown of the Middle East’s largest oil refinery.

18:00 UTC

The UAE Defense Ministry reports intercepting hundreds of projectiles over a 24-hour period, confirming six deaths and more than 120 injuries.

March 1–10, 2026 — Infrastructure Targeting and Internationalization

Between March 1 and March 10, Flashpoint analysis indicates the conflict has evolved from broad regional exchanges into systematic targeting of energy, data, and command-and-control infrastructure with global downstream impact. Key reported incidents included a strike on Saudi Aramco’s facility at Ras Tanura and a disruption at an AWS data center in the UAE attributed to physical impact on the facility. The Israel–Lebanon front also intensified following Hezbollah missile launches and a broad Israeli response across Lebanon. March 2 also featured expanded strikes against Tehran’s state apparatus, including reported destruction of Iran’s national broadcasting headquarters and the Assembly of Experts’ building.

Flashpoint also tracked growing exposure for NATO-aligned assets, including reported damage at RAF Akrotiri (Cyprus). Meanwhile, the UK, France, and Germany signaled readiness to support action focused on Iran’s missile and drone capabilities — an indicator of potential further conflict expansion.

By March 3 and March 4, targeting patterns expanded further to include strategic communications infrastructure and hardened military facilities. Satellite analysis confirmed damage to US military communication nodes and early-warning radar infrastructure across multiple Gulf bases, while naval combat escalated with a US submarine sinking the Iranian frigate IRIS Dena in the Indian Ocean. These developments signal a shift toward degrading regional command-and-control networks alongside continued pressure on energy and logistics infrastructure.

Developments on March 5 further expanded the geographic scope of the conflict. Iranian drone strikes targeted infrastructure in Azerbaijan, drawing the country’s military onto high alert and raising the possibility of a northern expansion of the kinetic theater. At the same time, complex missile and drone attacks continued against US military facilities in the Gulf, including a major strike that caused significant damage at Ali Al Salem Air Base in Kuwait. These developments reflect a continued shift toward distributed regional engagements rather than isolated bilateral exchanges.

Developments on March 6 through March 9 indicate continued degradation of Iranian command infrastructure alongside widening regional impacts. Precision strikes reportedly targeted remaining Iranian leadership compounds and clandestine missile and nuclear facilities, while diplomatic evacuations and military mobilization along Iran’s northern border suggested the potential expansion of the conflict into new geographic theaters. At the same time, infrastructure targeting expanded beyond energy and communications to include water desalination facilities and additional cloud and data infrastructure, highlighting the growing risk to civilian survival systems and regional economic stability.

Developments on March 10 further underscored the economic dimension of the conflict. A drone strike on the Ruwais industrial complex in Abu Dhabi forced the shutdown of the region’s largest oil refinery, while global shipping giant MSC suspended exports from Gulf ports due to continued instability in the Strait of Hormuz. These disruptions highlight how the conflict is increasingly affecting global energy production and maritime supply chains beyond the immediate combat zone.

The Escalating Cyber and Information Front

From the opening hours, Flashpoint assessed that cyber activity in this conflict is not ancillary — it is being used as a synchronized force multiplier.

One of the most consequential developments has been the use of infrastructure compromise for psychological operations at national scale. Flashpoint observed the compromise of the BadeSaba prayer app ecosystem, enabling push notifications to be delivered to large user populations. Messaging included calls for mobilization and later content aimed at regime security forces and protest coordination. This reflects a shift from influence on social platforms toward platform-layer manipulation, where trusted everyday applications become vectors for narrative control during kinetic shock.

Flashpoint also observed disruption and interference affecting state-run Iranian outlets (including IRNA and ISNA), contributing to an information vacuum and driving users toward unverified channels for situational awareness.

As kinetic pressure increased, Flashpoint tracking indicated fluctuations in cyber tempo. Some updates suggested a temporary lull in broader Iranian cyber activity — potentially due to operational disruption from physical strikes — while other indicators pointed to a risk of renewed disruptive campaigns, including activity linked to personas associated with state-aligned hacktivist ecosystems.

On March 2, Flashpoint observed reporting on a coordinated campaign branded #OpIsrael, involving pro-Iranian and pro-Russian-aligned actors, with activity spanning DDoS, data exposure, and claimed intrusions.

• NoName057(16) + Cyber Islamic Resistance: Claimed large-scale DDoS activity targeting Israeli defense and municipal entities (including Elbit Systems).
  
• Cyber Islamic Resistance: Claimed breach of an Israeli health insurance provider and released internal CCTV footage as evidence of access.
  
• FAD Team (Iraq’s “Resistance Hub”): Claimed SQL injection activity and PII exposure across a wide set of targets, including US and non-US entities.
  
• Fatimion Cyber Team: Claimed disruption targeting Gulf states perceived as US-aligned, including Bahrain and Qatar-linked targets.
  
• Infrastructure claims: FAD Team claimed access to firewall monitoring dashboards in Mecca and Medina.
  

Additional activity observed March 3–4 includes:

• Handala Team: Claimed a breach of Saudi Aramco infrastructure and released internal documentation and schematics intended to validate the attack. Flashpoint has not verified these claims.
  
• PalachPro: Signaled coordination with Iranian hackers to amplify cyber campaigns targeting US and Israeli organizations.
  
• NoName057(16): Claimed access to an Israeli water management SCADA system under the ongoing #OpIsrael campaign. These claims remain unverified.
  
• Fatemiyoun Electronic Team: Conducted a denial-of-service attack against the Kuwaiti News Agency website.
  
• Targeting rhetoric shift: Pro-IRGC propaganda channels began framing major technology companies — including Google — as potential targets due to alleged support of US military operations.
  

Additional activity reported on March 5 indicates a renewed surge in coordinated cyber operations under the #OpIsrael banner:

• NoName057(16): Claimed administrative access to Israeli industrial control systems and SCADA interfaces, alleging the ability to manipulate pump activity and water flow. These claims remain unverified but represent a high-risk threat to essential services.
  
• Handala Group: Claimed the exfiltration and wiping of approximately 1.3 TB of data from Atlas Insurances Ltd., while simultaneously launching a doxxing campaign targeting individuals alleged to be connected to Israeli intelligence.
  
• Fatemiyoun Electronic Team: Claimed responsibility for taking multiple government ministry websites offline in Jordan and Kuwait and releasing personal data from a Kuwaiti government application.
  
• Cyber Islamic Resistance (Team 313): Claimed disruptions targeting Bahraini government infrastructure and published images allegedly taken from compromised surveillance camera networks.
  

Additional activity reported March 6–9 includes:

• MuddyWater (MOIS / Seedworm): Verified intrusions into US aerospace, defense, aviation, and financial networks using a newly identified backdoor known as “Dindoor.” These operations reportedly began prior to the kinetic phase of the conflict and have continued during the war.
• Telegram-Based Recruitment Networks: Iranian intelligence is reportedly using Telegram channels to recruit loosely affiliated operatives and criminal intermediaries across Europe for espionage and potential sabotage operations.
• Handala: Claimed to have wiped Israeli military weather servers and intercepted urban security feeds in Jerusalem (unverified).
• Cyber Islamic Resistance (Team 313): Claimed multiple website defacements targeting regional institutions, including Kurdish and Saudi organizations (unverified).
• NoName057(16): Continued distributed denial-of-service attacks under the #OpIsrael banner targeting Israeli political parties, telecommunications companies, and defense contractors.
  

Additional activity reported March 10 includes:

• Suspected banking-sector attacks: Multiple reports indicate that Iran’s largest banks, including Bank Melli Iran and Bank Sepah, experienced widespread service disruptions following suspected cyberattacks.
• NoName057(16): The pro-Russian group continued operations under the #OpIsrael banner, claiming distributed denial-of-service attacks targeting Israeli and Cypriot infrastructure, including Israel’s national water company Mekorot and UAV firm E.M.I.T. Aviation (unverified).
• BD Anonymous & MrSutrator Alliance: A newly formed pro-Palestinian cyber alliance announced “Operation Electronic Holocaust,” targeting Israeli defense contractor Rafael (unverified).
• DieNet: The group issued warnings of a potential large-scale cyber campaign targeting Israeli government infrastructure (unverified).

These developments indicate continued expansion of cyber activity across both offensive and retaliatory fronts, including financial infrastructure and public-facing services.

Strategic Chokepoints and Systemic Risk

Two chokepoints have emerged as persistent systemic risk drivers: maritime energy transit and regional air mobility.

Iran’s reported blockade of the Strait of Hormuz remains the primary near-term global economic concern. Flashpoint reporting also indicates an explicit escalation toward energy system disruption, with IRGC messaging framing a “war on energy supplies” and kinetic targeting expanding to oil and gas infrastructure. Even partial disruption introduces immediate volatility in energy markets and maritime logistics, increasing shipping costs, insurance premiums, and delivery delays well beyond the region.

Additional developments reported on March 3 indicate the IRGC has conducted strikes against multiple oil tankers operating in the Strait of Hormuz, further elevating risks to global energy transport. Iran has also declared the waterway effectively closed to most commercial shipping, introducing the possibility of sustained maritime disruption.

Infrastructure targeting has expanded to include desalination facilities and water supply systems in the Gulf. Because these plants provide essential potable water to large urban populations, attacks on desalination infrastructure represent a significant escalation that directly threatens civilian survival systems and urban stability across the region.

Global shipping disruption has also intensified. As of March 10, following continued instability and the effective closure of the Strait of Hormuz, major shipping firms including MSC have suspended exports from Gulf ports, introducing additional pressure on global logistics and energy markets.

Airspace disruption and interruptions to transit hubs — especially the reported suspensions affecting Dubai — compound that risk. Taken together, the maritime and aviation constraints create a reinforcing cycle: constrained routes increase congestion elsewhere, raise operational costs, and compress the time available for organizations to reroute people and goods.

With regional airports and Gulf maritime corridors under threat, organizations should plan for sustained degradation of commercial mobility and service availability rather than short-lived closures.

Business and Security Implications

As the conflict expands into commercial infrastructure and civilian logistics, enterprise exposure now extends well beyond traditional “high-risk” sectors. The targeting patterns observed throughout this conflict indicate that energy infrastructure, cloud assets, maritime corridors, and civilian-facing systems are all within scope.

Organizations should plan for volatility across personnel security, supply chains, cyber disruption, and regional service availability.

1. Personnel and Physical Security

Recent incidents including strikes near Gulf transit hubs, the targeting of a Western-branded hotel in Bahrain, and warnings regarding potential asymmetric attacks underscore that risk is no longer confined to military installations.

• The US State Department issued an expanded “DEPART NOW” advisory for Americans across 16 Middle Eastern countries, reflecting elevated risk to civilian and commercial environments.
  
• US Embassy in Amman reported active “duck and cover” alarms, signaling increased threat pressure on diplomatic facilities beyond core combat zones.
  
• Reporting indicates Iranian threats now extend to US bases in Europe, expanding the geographic risk envelope.
  
• Drone attacks targeting diplomatic facilities — including the US Consulate in Dubai and attempted strikes on the US Embassy in Riyadh — indicate expanding risk to diplomatic and government installations.
  
• Precautionary evacuations have also been implemented near US embassies across several Gulf states as regional tensions and retaliatory threats continue to rise.
  

Organizations with personnel in the Gulf region and surrounding areas should:

• Reassess travel posture to the UAE, Qatar, Bahrain, Kuwait, and Saudi Arabia.
  
• Elevate security protocols at commercial offices, hotels, and logistics facilities.
  
• Reinforce operational security practices (routine variation, avoidance of identifiable clothing tied to government or defense sectors).
  
• Coordinate closely with local authorities and diplomatic advisories regarding movement restrictions and emerging threat indicators.
  

2. Supply Chain and Energy Exposure

The reported blockade of the Strait of Hormuz, disruption to Dubai aviation, and the strike on Saudi Arabia’s Ras Tanura oil facility demonstrate that global energy and logistics systems are active pressure points. Iranian naval forces reportedly struck multiple oil tankers transiting the Strait of Hormuz on March 3, increasing the likelihood of extended maritime disruption and global energy price volatility.

IRGC statements framing a “war on energy supplies” increase the likelihood of sustained pressure on Gulf oil and gas infrastructure. Organizations must reassess exposure not only to energy price volatility, but also to infrastructure-driven availability shocks.

Organizations should:

• Model extended disruption to Gulf maritime routes rather than short-term interruption.
  
• Identify alternative shipping corridors and overland routing options.
  
• Stress-test supplier dependencies tied to Gulf ports or energy inputs.
  
• Prepare for price volatility and delivery delays impacting downstream operations.
  

3. Cloud and Technology Infrastructure

The reported physical impact to an AWS data center in the UAE reflects a significant escalation: commercial cloud infrastructure is no longer insulated from kinetic spillover. More recent reporting also indicates Iranian strikes targeting Microsoft Azure data infrastructure in the Gulf, expanding the threat profile to additional Western cloud platforms.

Iranian strikes against early-warning radars and satellite communication terminals across Gulf bases indicate a coordinated effort to degrade regional missile defense networks.

Enterprises should:

• Confirm geographic redundancy for critical workloads.
  
• Validate disaster recovery timelines (RTO/RPO) for Middle East–hosted environments.
  
• Review third-party dependencies tied to regional data centers.
  
• Ensure executive teams understand potential cascading impacts from localized physical disruption.
  
• Organizations operating near or dependent on US or allied military infrastructure in the region should monitor potential disruptions to air defense coverage and communications networks.
  

4. ICS / OT Environments

Claims of intrusion into industrial control systems — including grain silo logistics and remote control infrastructure — signal elevated risk to operational technology environments. March 2 cyber reporting also emphasized blended risk: cyber operations paired with physical disruption, increasing the chance of cascading outages and degraded visibility during response.

Organizations operating ICS/SCADA systems, particularly in energy, logistics, water, and manufacturing sectors, should:

• Audit all remote access pathways and eliminate unnecessary external exposure.
  
• Enforce phishing-resistant MFA for privileged and engineering accounts.
  
• Segment industrial networks from corporate IT and public internet access.
  
• Validate incident response plans for destructive malware or system manipulation scenarios.
  
• Conduct tabletop exercises assuming loss of visibility or control in critical systems.

What to Expect Next (48–72 Hours)

Flashpoint analysis indicates the conflict is entering a more decentralized phase characterized by hybrid warfare and expanding geographic scope.

Following the formal appointment of Mojtaba Khamenei as Supreme Leader, the Iranian state is expected to maintain a hardline military posture under strong IRGC influence. With conventional military capabilities increasingly degraded, Iranian strategy may rely more heavily on asymmetric tactics, including cyber operations, proxy mobilization, and attacks against economic and civilian infrastructure.

The fatwa issued by Grand Ayatollah Sistani introduces an additional destabilizing variable, potentially mobilizing Shiite militias across Iraq and the broader region. Combined with Kurdish mobilization along Iran’s western border and Azerbaijan’s heightened military posture in the north, the conflict may increasingly involve non-state and regional actors.

At the same time, cyber operations targeting Western defense, aviation, and infrastructure networks are likely to intensify as Iranian-linked actors attempt to expand the conflict’s impact beyond the immediate battlefield.

The activation of Iran’s decentralized “Mosaic Defense” protocol further complicates potential de-escalation. Because retaliatory authority is distributed across regional commanders, localized strike cycles may continue even if diplomatic negotiations emerge at higher political levels. This structure increases the likelihood of continued intermittent attacks across multiple theaters even as international pressure for conflict termination grows.

Ongoing Updates

Flashpoint will continue monitoring developments across physical, cyber, and geopolitical domains. Bookmark this page for updates as the situation evolves.

For organizations seeking deeper visibility into emerging threats, proxy activity, infrastructure targeting, and cross-domain escalation indicators, schedule a demo to see Flashpoint’s intelligence platform deliver timely, decision-ready intelligence.

The post Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains appeared first on Flashpoint.

Blogs

Blog

Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report

In this post, we preview the critical findings of the 2026 Global Threat Intelligence Report, highlighting how the collapse of traditional security silos and the rise of autonomous, machine-speed attacks are forcing a total reimagining of modern defense.

SHARE THIS:

Flashpoint

March 11, 2026

Table Of Contents

Table of Contents

Flashpoint’s 2026 Global Threat Intelligence Report

The Top Threats at a Glance

Build Resilience in a Converged Landscape

More

2026 Global Threat Intelligence Report

Download Now

The cybersecurity landscape has reached a point of total convergence, where the silos that once separated malware, identity, and infrastructure have collapsed into a single, high-velocity threat engine. Simultaneously, the threat landscape is shifting from human-led attacks to machine-speed operations as a result of agentic AI, which acts as a force multiplier for the modern adversary.

Flashpoint’s 2026 Global Threat Intelligence Report

Flashpoint’s 2026 Global Threat Intelligence Report (GTIR) was developed to anchor security leaders — from threat intelligence and vulnerability management teams to physical security professionals and the CISO’s office — with the data required to navigate this year’s greatest threats, rife with infostealers, vulnerabilities, ransomware, and malicious insiders.

Our report uncovers several staggering metrics that illustrate the industrialization of modern cybercrime:

• AI-related illicit activity skyrocketed by 1,500% in a single month at the end of 2025.
• 3.3 billion compromised credentials and cloud tokens have turned identity into the primary exploit vector.
• From January 2025 to December 2025, ransomware incidents rose by 53%, as attackers pivot from technical encryption to “pure-play” identity extortion.
• Vulnerability disclosures surged by 12% from January 2025 to December 2025, with the window between discovery and mass exploitation effectively vanishing.

These findings are derived from Flashpoint’s Primary Source Collection (PSC), a specialized operating model that collects intelligence directly from original sources, driven by an organization’s unique Priority Intelligence Requirements (PIR). The 2026 Global Threat Intelligence Report leverages this ground-truth data to provide a strategic framework for the year ahead. Download to gain:

1. A Clear Understanding of the New Convergence Between Identity and AI
   Discover how threat actors are preparing to transition from generative tools to sophisticated agentic frameworks. Learn how 3.3 billion compromised credentials are being weaponized via automated orchestration to bypass legacy defenses and exploit the connective tissue of modern corporate APIs.
   
2. Intelligence on the “Franchise Model” of Global Extortion
   Gain deep insight into the professionalized operations of today’s most prolific threat actors. From the industrial efficiency of RaaS groups like RansomHub and Clop to the market dominance of the next generation of infostealer malware, we break down the economics driving today’s cybercrime ecosystem.
   
3. A Blueprint for Proactive Defense and Risk Mitigation
   Leverage the latest trends, in-depth analysis, and data-driven insights driven by Primary Source Collection to bolster your security posture by identifying and proactively defending against rising attack vectors.

“As attackers automate exploitation of identity, vulnerabilities, and ransomware, defenders who rely on fragmented visibility will fall behind. To keep pace, organizations must ground their decisions in primary-source intelligence that is drawn from adversarial environments, so that decision-makers can get ahead of this accelerating threat cycle.”

Josh Lefkowitz, CEO & Co-Founder at Flashpoint

The Top Threats at a Glance

Our latest report identifies four driving themes shaping the 2026 threat landscape:

2026 Is the Era of Agentic-Based Cyberattacks

Flashpoint identified a 1,500% rise in AI-related illicit discussions between November and December 2025, signaling a rapid transition from criminal curiosity to the active development of malicious frameworks. Built on data pulled from criminal environments and shaped by fraud use cases, these systems scrape data, adjust messaging for specific targets, rotate infrastructure, and learn from failed attempts without the need for constant human involvement.

“2026 is the era of agentic-based cyberattacks. We’ve seen a 1,500% increase in AI-related illicit discussions in a single month, signaling increased interest in developing malicious frameworks. The discussions evolve into vibe-coded, AI-supported phishing lures, malware, and cybercrime venues. When iteration becomes cheap through automation, attackers can afford to fail repeatedly until they find a successful foothold.”

Ian Gray, Vice President of Cyber Threat Intelligence Operations at Flashpoint

Identity Is the New Exploit

Flashpoint observed over 11.1 million machines infected with infostealers in 2025, fueling a massive inventory of 3.3 billion stolen credentials and cloud tokens. The fundamental mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to behave like legitimate users.

The Patching Window Is Rapidly Closing

Vulnerability disclosures surged by 12% in 2025, with 1 in 3 (33%) vulnerabilities having publicly available exploit code. The strategic gap between discovery and weaponization is increasingly vanishing, as evidenced by mass exploitation of zero-day vulnerabilities in as little as 24 hours after discovery.

Ransomware Is Hacking the Person, Not the Code

As technical defenses against encryption harden, ransomware groups are pivoting to the path of least resistance: human trust. This approach has led to a 53% increase in ransomware, with RaaS groups being responsible for over 87% of all ransomware attacks.

Build Resilience in a Converged Landscape

The findings in the 2026 Global Threat Intelligence Report make one thing clear: incremental improvements to legacy security models are no longer sufficient. As adversaries transition to machine-speed operations, the strategic advantage shifts to organizations that can maintain visibility into the adversarial environments where these attacks are born.

Protecting organizations and communities requires an intelligence-first approach. Download Flashpoint’s 2026 Global Threat Intelligence Report to gain clarity and the data-driven insights needed to safeguard critical assets.

Get Your Copy

The post Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report appeared first on Flashpoint.

One email was all it took. An employee clicked what looked like a routine sign‑in request. Behind the scenes, attackers swiped credentials, slipped past security controls, impersonated a trusted user, and gained access to critical systems. In other cases, similar intrusions delayed paychecks, rerouted invoices, stole sensitive data, locked up entire networks, interrupted patient care, and strained already tight budgets at schools and critical services. 

Those attacks were powered by Tycoon 2FA. Today, Microsoft, Europol, and industry partners announced a coordinated action to disrupt the service responsible for tens of millions of fraudulent emails reaching over 500,000 organizations each month worldwide. 

Disrupting a global phishing operation 

Active since at least 2023, Tycoon 2FA enabled thousands of cybercriminals to impersonate real users and gain unauthorized access to email and online service accounts, including Microsoft 365, Outlook, and Gmail. Unlike traditional phishing kits, Tycoon 2FA was designed to defeat additional security protections, including multifactor authentication, allowing cybercriminals to log in as legitimate users without triggering alerts, even on protected accounts. 

Acting under a court order from the U.S. District Court for the Southern District of New York, and for the first time in coordination with Europol’s Cyber Intelligence Extension Programme (CIEP), Microsoft seized 330 active domains that powered Tycoon 2FA’s core infrastructure, including control panels and fraudulent login pages. The CIEP framework brought public‑ and private‑sector partners together to move from simply sharing intelligence to coordinated, cross‑border action, accelerating disruption and limiting further harm. 

Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect people and organizations from follow‑on attacks such as data theft, ransomware, business email compromise, and financial fraud. 

The scale and real‑world impact of Tycoon 2FA 

By mid‑2025, Tycoon 2FA accounted for approximately 62 percent of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. That placed Tycoon 2FA among the largest phishing operations globally.  

Despite extensive defenses, the service is linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers.  

Healthcare and education organizations were hit hardest. More than 100 members of Health‑ISAC, a global threat-sharing group for the health sector and a co-plaintiff in this case, were successfully phished. In New York alone, at least two hospitals, six municipal schools, and three universities faced attempted or successful compromise through Tycoon 2FA. These incidents had tangible consequences: disrupted operations, diverted resources, and delayed patient care.  

Why Tycoon 2FA was so dangerous 

Tycoon 2FA combined convincing phishing templates, realistic landing pages, and real‑time capture of credentials and authentication codes into an easy‑to‑use package that scaled quickly. By lowering the technical barrier to entry, it allowed criminals with limited expertise to run sophisticated impersonation campaigns. 

With each successful phishing victim, attackers could operate with the same level of trust as legitimate users moving laterally across systems, accessing sensitive data, and abusing sign‑on connections without raising alarms. Research from Microsoft Threat Intelligence provides more details on how Tycoon 2FA operated. 

This shift reflects a broader trend in cybercrime: identity, not infrastructure, has become the primary target. A single compromised account can now unlock banking systems, healthcare portals, workplace applications, and social media accounts. 

Inside the impersonation economy

Tycoon 2FA operated like a business within the broader impersonation‑for‑hire ecosystem. The primary developer, Saad Fridi, who is believed to be based in Pakistan, worked alongside partners responsible for marketing, payments, and technical support. 

Cybercriminals typically used Tycoon 2FA alongside other illicit services. While Tycoon 2FA captured credentials and session tokens, other services handled mass email delivery, malware distribution, hosting, and access monetization. For example, RedVDS, disrupted by Microsoft in January 2026, provided inexpensive virtual computers, which cybercriminals paired with Tycoon 2FA to deliver phishing campaigns. Together, these different services created an interconnected ecosystem for identity‑based attacks. Disrupting one component can have cascading effects across the cybercrime economy. 

Sustained pressure reshapes the market 

Over the past 18 months, Microsoft’s Digital Crimes Unit has targeted multiple services that enable impersonation and initial access, including extensive disruption operations of Lumma Stealer, RaccoonO365, Fake ONNX (aka “Caffeine”), and RedVDS. 

When widely used tools are disrupted, attackers are forced to adapt, often shifting to alternatives like Tycoon 2FA. This substitution pattern shows how sustained pressure prevents any single service from remaining dominant while steadily raising the cost and risk of cybercrime. 

These efforts have led to arrests in Egypt and Nigeria, complete service shutdowns, infrastructure loss, and reputational damage for operators beyond law‑enforcement reach. RedVDS alone lost more than 95 percent of its infrastructure since January 2026, significantly degrading its ability to support mass impersonation campaigns and other online scams. 

As pressure increased, many operators tightened access controls, retreated into closed channels, or shut down entirely to avoid legal action. In Tycoon 2FA’s case, Microsoft could not purchase access to the service; the operator rejected attempts by our investigators, requiring a trusted intermediary. In fact, Tycoon 2FA’s operator and the now‑arrested developer of RaccoonO365 communicated with one another, highlighting the ecosystem’s interdependence and how disruptions in one area influence activity elsewhere. 

Global threats require global action 

Cybercrime operates across borders, and effective response must do the same. Disrupting Tycoon 2FA spanned multiple jurisdictions, underscoring why sustained, coordinated pressure is essential, especially as cybercrime becomes more scalable through automation and AI. 

Microsoft Threat Intelligence, joining many security researchers, identified Tycoon 2FA as one of the most significant threats to identity-based attacks. Microsoft’s Digital Crimes Unit consulted with Europol, which also tracked the actor based on intelligence supplied by TrendAI. Through the CIEP, Europol convened partners to take action. Microsoft worked with industry partners to pursue a coordinated infrastructure disruption, while law enforcement authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom conducted seizures of infrastructure and carried out other operational measures linked to Tycoon 2FA. 

Industry partners, including Proofpoint, Intel 471, and eSentire, expanded visibility through telemetry, threat intelligence, and criminal‑forum insight. Cloudflare assisted by taking down infrastructure outside U.S. jurisdiction, while Health‑ISAC quantified impacts on healthcare organizations. SpyCloud contributed key victimology data, Resecurity facilitated access to Tycoon 2FA, and Coinbase helped trace the movement of stolen funds. Finally, the Shadowserver Foundation supported notifications to more than 200 computer emergency response teams worldwide, helping limit further harm. 

No single organization could have assembled this full picture alone.

Sustaining pressure, together 

Stopping identity‑based cybercrime requires action across individuals, organizations, and governments. Multifactor authentication, scrutiny of unexpected messages, strong session controls, and coordinated threat‑sharing all reduce risk. Early enforcement matters too; it prevents small intrusions from escalating into systemic harm. Microsoft will continue applying the lessons learned from Tycoon 2FA and prior disruptions to fragment the impersonation economy, limit scale, and make cybercrime riskier and less profitable. 

The post Defending the gates: How a global coalition disrupted Tycoon 2FA, a major driver of initial access and large-scale online impersonation appeared first on Microsoft On the Issues.

On Tuesday, February 23rd, Microsoft Senior Director of Education and Workforce Policy Allyson Knox testified before the House Education & Workforce Subcommittee on Early Childhood, Elementary, and Secondary Education. To view the proceedings, visit the committee’s website.

STATEMENT OF ALLYSON KNOX

SENIOR DIRECTOR OF EDUCATION AND WORKFORCE POLICY

MICROSOFT CORPORATION

BEFORE THE

EDUCATION AND WORKFORCE COMMITTEE

SUBCOMMITTEE ON EARLY CHILDHOOD, ELEMENTARY, AND SECONDARY EDUCATION

UNITED STATES HOUSE OF REPRESENTATIVES

“BUILDING AN AI-READY AMERICA: TEACHING IN THE AI AGE”

TUESDAY, FEBRUARY 24, 2026

WASHINGTON, D.C.

Good afternoon and thank you, Chairman Kiley, Ranking Member Bonamici, Members of the Subcommittee for inviting me to testify today. My name is Allyson Knox. I am Senior Director of Education and Workforce Policy at Microsoft, and I am pleased to have this opportunity to discuss issues related to artificial intelligence and its impact on teachers.

Today, I will share insights we have gathered from teachers about their experiences, challenges, and needs as they integrate AI in education; outline the steps Microsoft and other organizations are taking to facilitate this transition; and recommend legislative approaches to help policymakers strengthen these efforts. These legislative approaches include supporting professional development for teachers; encouraging public-private partnerships; promoting AI literacy; providing guidance on responsible AI use; and supporting innovation.

I would like to begin by quoting from Microsoft’s vice-chair and president, Brad Smith, in his recent foreword to Degrees of Change: What AI Means for Education and the Next Generation[i]:

“Generative AI has become the fastest-spreading technology in human history, adopted at a pace that even the most seasoned technologists could scarcely imagine. This speed is breathtaking, but it also compels us to pause and ask, “Are we ready for what comes next?” AI’s promise is extraordinary. It can help solve problems that have challenged humanity for decades—improving health outcomes, advancing education, and unlocking new opportunities for economic growth. But, like every transformative technology before it, AI brings new questions and new responsibilities.”

This thought-provoking quote is apt for today’s conversation on how AI is impacting teachers. The speed of AI adoption in our nation’s schools and classrooms is indeed breathtaking. Just three years ago, AI had barely made a mark in education. However, our 2025 Study on AI in Education found that 80% of U.S. K-12 teachers have used AI in their roles or for school-related purposes at least once or twice and one-fifth report daily use of AI. Additionally, 58% of K-12 teachers think AI usage at their school/district will increase in the next year.[ii]

What we are hearing from teachers on the impact of AI:

The breadth of adoption has been profound. We have heard directly from teachers who are using AI to streamline lesson planning, curriculum development, and personalize student learning in ways that were unimaginable a few years ago.[iii] AI is also reducing the time it takes to carry out administrative tasks, allowing more time for teachers to focus on their students.

Despite these benefits, we know teachers face challenges when it comes to AI in the classroom. We found roughly one in three teachers lack confidence in using AI effectively and responsibly. Many teachers also express concerns about how AI can exacerbate cheating and are worried about issues such as data privacy and student safety.

Teachers know AI is here to stay, and based upon countless surveys, forums, and focus groups, teachers are ready to tackle these challenges and ask for support in three main areas:

1. AI literacy – Teachers want the skills, knowledge, and support to build AI literacy and critical thinking in their students;
2. AI guardrails – Teachers want students to use AI responsibly and safely; and
3. AI tools – Teachers want classroom-ready AI tools and opportunities to provide feedback that improve them.

I’m excited to share a few ways Microsoft, along with many of our partners, are committed to providing teachers with the support they are requesting.

1.AI literacy – Teachers want the skills, knowledge, and support to build AI literacy and critical thinking in their students

At the core of this support is listening to and learning from teachers and understanding what they want and need to become AI literate themselves and teach AI literacy to their students. These conversations have resulted in exciting initiatives, including the recent launch of the Microsoft Elevate for teachers program, part of the company’s broader commitment[iii] to help schools and educators build skills, expand opportunities, and ensure everyone benefits from AI.

Microsoft Elevate for Educators

The Microsoft Elevate for Educators program equips educators and school leaders with access to one of the world’s largest and most connected peer educator networks and offers free professional development resources. It will provide free access to a new industry-recognized credential for educators, developed in partnership with one of the leading national nonprofit focused on technology and innovation (ISTE+ASCD).[vi] This partnership is aligned to the AI Literacy Framework, which is intended to help educators gain confidence and expertise in integrating AI into their teaching and learning. As part of this work, we also support ISTE+ASCD in advancing AI in teacher preparation programs.

National Academy for AI Instruction

Along with OpenAI and Anthropic, we are supporting the National Academy for AI Instruction, through a partnership with the American Federation of Teachers and the United Federation of Teachers. The Academy describes itself as a national training hub designed by educators – shaping the future of AI in public education, grounded in safety and people-first technology, and improving student learning. From everything we have heard from teachers, this is exactly the type of support they need to promote AI literacy. The Academy also focuses on building critical thinking skills for students and educators.

Rob Weil, who heads up the Academy, recently shared an update on their work with me. He noted through direct engagement with teachers, they listen to what the primary concerns teachers have around using AI in the classroom are, and then work with them to design trainings that are directly responsive to their concerns and meet them where they are – including using whatever technology they are already using in their classroom.

Their goal is to train 400,000 teachers over the next 5 years. The Academy is centered around a “train the trainer” model, building capacity to provide AI literacy to teachers at scale – providing the potential of millions of teachers to benefit from this initiative. Weil noted that interest and participation in the Academy has been taking off, largely due to word of mouth. This month, 1,000 teachers showed up for a virtual session, and another in-person session was overprescribed had to turn away a hundred interested teachers.

Why the interest? Teachers want to learn from their peers and trusted partners; they also want to ensure they are using AI effectively and safely. Weil explained that one of the most popular aspects of the training is centered around the Academy’s Commonsense Guardrails for Using Advanced Technology in Schools,[v] which helps empower teachers to address the challenges they are facing in implementing AI. Some teachers describe AI as the wild-wild west, and this guide has helped provide a roadmap for understanding how to navigate bringing this technology into the classroom.

The trainings also provide real-world, hands-on experiences with using technology which teachers themselves are bringing to the table. At the trainings, teachers are asked what they could use the most help with and then have time to experiment with different tools to do things like start a draft of a lesson plan or an outline for a rubric – allowing them more time and flexibility to incorporate their expertise. In addition, the Academy creates opportunities for educators to influence the development of AI for schools.

Support for Special Education Teachers

We also recognize the potential that AI holds to support students with disabilities – and the need to ensure special education teachers have the support and resources to fully unlock this technology.

Recently, we launched a course to support educators in exploring how Microsoft AI tools can be thoughtfully used in special education environments to reduce administrative demands, strengthen accessibility, and support clear communication with families. Throughout the learning path, responsible use of AI, privacy, and transparency are emphasized so educators can determine when and how AI fits into their practice in ways that align with student needs and professional values.

After our engagements, we tailored our trainings to special education teachers by incorporating their direct feedback. Key topics included privacy with sensitive medical information and using AI to assist parents and caregivers in IEP meetings. We emphasized clear communication, parental inclusion, and ensuring parents understand the meeting’s goals and how best to support their children.

Finally, special education involves a collaborative team beyond just teachers, and we’ve revised our approach to address the needs of occupational therapists, physical therapists, and all other members involved in special education.

Support for Teachers in Rural America

We have found there’s a significant gap in daily AI usage by urban teachers versus their rural and suburban counterparts (39% vs. 24%).[iv] This gap underscores why ensuring AI tools, resources, and professional development are attuned to the needs of rural teachers is critical.

For the last five years, we’ve been working with the National Future Farmers of America (FFA) and agricultural science teachers to develop FarmBeats for Students and ensure it is responsive to agricultural science teachers’ needs. We engaged in an iterative process with them – collaboratively designing and building curriculum and training with agricultural science teachers from the very beginning of development.

FarmBeats for Students brings AI to agricultural education through a hands-on educational program that brings precision agriculture directly into the classroom. The program consists of an affordable hardware kit and a free curriculum aligned with rigorous educational standards. Activities give students direct experience with topics like digital sensors, data analysis, and AI.

We brought FarmBeats for Students to the National FFA convention and held a series of workshops with teachers across the country. They experimented with the kits and provided input to ensure this technology was directly responsive to what they wanted to see in the classroom.

In addition to our partnership with the National FFA, Microsoft helps meet the needs of rural teachers by deploying the online content referenced above through Elevate, as well as supporting community-based organizations that help facilitate activities and events which promote AI literacy in rural communities.

AI Literacy Frameworks, Standards, and Guidance

Teachers want frameworks that help them integrate AI into their classrooms. We are pleased there is bipartisan interest in establishing strong frameworks around AI and education, especially highlighting the need for widespread AI literacy. Microsoft has provided support, guidance, and input to organizations and initiatives such as Code.org and TeachAI who work to develop and promote frameworks, guidance, and standards.

Microsoft encourages state and local policymakers to review and leverage these resources as they incorporate AI in education:

• The TeachAI Foundational Policies[vii]: This resource, endorsed by dozens of policy organizations and associations, provides practical guidance for national, state, and local leaders to harness AI’s benefits in teaching and learning while mitigating risks. The policies focus on five priorities—fostering leadership, promoting AI literacy, providing clear guidance, building educator capacity, and supporting responsible innovation—to ensure AI strengthens education systems and prepares learners for an AI‑enabled workforce.
• The TeachAI AI Guidance for Schools Toolkit[viii]: The Toolkit helps education authorities, school leaders, and educators develop clear, responsible guidance for using AI in K–12 education, balancing potential benefits with risks such as privacy, bias, and academic integrity. It provides a practical framework, principles, sample policies, and communication templates to support safe and human‑centered AI adoption across school systems. The Toolkit has been used by the majority of states in constructing guidance for schools.
• The AI Literacy Framework[ix]: The AI Literacy Framework defines the knowledge, skills, and attitudes students and educators need to understand, use, and critically evaluate AI in education. It is organized around four core domains—Engaging with AI, Creating with AI, Managing AI, and Designing AI—and emphasizes critical thinking, ethics, and human judgment alongside technical understanding. It also emphasizes the foundational computer science concepts that prepare students to not just use AI but understand how AI works and its societal impacts. The framework is designed to be interdisciplinary, practical, and durable, helping schools integrate AI literacy into curriculum, professional learning, and policy in age‑appropriate ways.

2.AI guardrails – Teachers want students to use AI responsibly and safely

We have heard from teachers that one of the greatest hesitations they have with AI is around safety for students. This includes ensuring AI tools used in the classroom protect student privacy, don’t collect their information, and are safe from a mental health perspective.

Some of the strategies teachers use to promote safety are a significant focus in the professional development referenced earlier. In addition, the frameworks include key components to help teachers understand responsible AI use.

Microsoft takes our responsibility as a developer and deployer of AI technology very seriously. Paramount to deploying this technology in classrooms is ensuring it is responsible. Microsoft has identified six principles that we believe should guide AI development and use.

• Fairness: AI systems should treat all people fairly.
• Reliability and Safety: AI systems should perform reliably and safely.
• Privacy and Security: AI systems should be secure and respect privacy.
• Inclusiveness: AI systems should empower everyone and engage all people.
• Transparency: AI systems should be understandable.
• Accountability: People should be accountable for AI systems.

These principles are the foundation for other tools and resources we share with teachers to provide guidelines for them to deploy AI in the classroom.

As another example of our commitment to safety, earlier this month, on Safer Internet Day, we launched our new Microsoft Education Security Toolkit,[x] which provides educators and IT teams with practical guidance tailored to the realities of modern education.

3. AI tools – Teachers want classroom-ready AI tools and opportunities to provide feedback that improve them

Teachers often lack the right AI tools tailored to their needs for boosting student achievement. It’s essential to develop AI solutions based on teacher input rather than just delivering generic options. Microsoft strives to meet this responsibility by designing tools and partnerships that address educators’ needs. We believe this approach creates a critical feedback loop that will allow us to constantly evolve our tools to maximize their benefit in the classroom over time.

In fact, at Microsoft, our engineering teams collaborate closely with educators and students to advance the development of AI tools for classroom use. We partner with teacher organizations and directly engage with the disability community to better understand instructional requirements and design technology that enhance student learning outcomes.  Some examples include:

Reading Progress

One of the tools we offer to teachers is called Reading Progress, which helps teachers analyze students’ fluency and generates reading passages and comprehension questions.

From the beginning of development, we worked with individual teachers through our Educator Insiders program and with entire schools or districts through our Technology Adoption Preview, where educators test prototypes of our products and provide feedback.

For example, teachers asked for a tool that could generate tailored passages to meet the needs of their students. We incorporated that feedback and now, teachers can get as specific as saying they want a passage generated about sports that is for a third-grade reading level and includes specific words their class is learning.

Teachers also told us they wanted reading comprehension questions generated faster and better. With AI, it’s easy to do this in a high-quality way.

Teachers report increased comprehension, higher reading fluency, and higher scores, especially for struggling or reluctant readers.

Teach for America (TFA)

Microsoft has been a proud supporter of TFA’s efforts to improve the education system and expand opportunities for children across the U.S. It has been great to see all of the ways in which TFA has worked to equip their teachers with AI fluency in order to help them integrate this technology into the classroom.

TFA recently completed a cloud migration to Microsoft Azure, unlocking countless avenues to improve program design and delivery, direct the most possible funds toward its mission to ensure all kids have access to an excellent education, and evolve to offer the best learning options inside and outside the classroom.

Where do we go from here

What is both exciting and daunting about AI is that while we can take lessons learned from previous technological transformations in the classroom, much of the book has not been written on AI adoption. Meaning tech companies, teachers, government, and other stakeholders have the opportunity to shape where AI goes in education and beyond.

I want to conclude my remarks today with policy recommendations for the Committee to consider:

• Support professional development for teachers to effectively teach about AI and responsibly integrate AI tools in the classroom.
  • At the Federal level, this means providing priorities for competitive grant programs, such as those recently proposed by the U.S. Department of Education.
• Encourage public-private partnerships.
  • Incentivize and prioritize Federal funds and grants that support partnerships between technology companies and educational programs, including apprenticeship and credentialed organizations, to develop up to-date AI curriculum.
• Promote AI literacy across the U.S.
  • Integrate AI skills and concepts, including their foundational principles, social impacts, and ethical concerns, into existing curriculum and instruction.
• Provide guidance.
  • Equip schools with guidance on the safe, effective, and responsible use of AI, including considerations related to student privacy, data security, accessibility, transparency, and appropriate human oversight.
• Invest in innovation.
  • Support research and evaluation to better understand the impacts of AI in education, including its effects on teaching and learning and student outcomes, and to identify effective, scalable practices that mitigate the digital divide.

[i] Smith, Brad. “Foreword.” Degrees of Change: What AI Means for Education and the Next Generation, by Juan M. Lavista Ferres, John Wiley & Sons, 2026.
[ii] See Microsoft 2025 AI in Education Survey Details, August 2025
[iii] See Microsoft 2025 AI in Education Survey Details, August 2025
[iv] See Microsoft Elevate: Putting people first, July 2025
[v] See Commonsense Guardrails for Using Advanced Technology in Schools, March 2025
[vi] See Microsoft 2025 AI in Education Survey Details, August 2025
[vii] See TeachAI Foundational Policies
[viii] See TeachAI AI Guidance for Schools Toolkit
[ix] See AI Literacy Framework
[x] See Microsoft Education Security Toolkit, February 2026

[1] ISTE (International Society for Technology in Education) + ASCD (Association for Supervision and Curriculum Development)

The post Building an AI-Ready America: Teaching in the AI age appeared first on Microsoft On the Issues.

Ahead of Mobile World Congress, where global leaders, governments, and industry convene at the world’s largest connectivity event, Microsoft is marking a major milestone in our efforts to expand digital access worldwide. In 2022, we made a bold commitment to expand internet access to 250 million people by the end of 2025. Today, we are proud to share that we have met and exceeded that goal, extending connectivity coverage to over 299 million people worldwide, including more than 124 million across Africa.

This milestone represents more than a number. It reflects more than a decade of sustained collaboration with governments, nonprofits, local connectivity providers, and development partners around the world. Together, we have worked to reach communities where access has historically been limited, building pathways to education, healthcare, economic opportunity, and digital participation.

Reaching this milestone is also a moment of reflection and renewal. Building on years of progress, Microsoft is evolving its approach to digital access to focus not only on coverage, but on adoption, enablement, and long-term participation in the AI economy.

As part of this next chapter, we are announcing a new collaboration with Starlink. This collaboration expands the set of tools available to help deliver digital access in rural, agricultural, and hard-to-reach communities. Combined with local delivery partners and community institutions, it strengthens the foundation for AI-ready communities around the world.

Why digital access matters in the AI era

Despite continued progress, 2.2 billion people globally remain offline, and many more face barriers related to affordability, reliability, or access to relevant digital services. These gaps already limit opportunity and risk widening as AI becomes more central to how economies grow and societies function.

At Mobile World Congress 2024, Microsoft Vice Chair and President Brad Smith shared our AI Access Principles, underscoring that electricity and connectivity are essential foundations for an inclusive AI economy. Since then, the pace of change has only accelerated. In fact, Microsoft’s 2025 AI Diffusion Report shows that AI is being adopted faster than any general-purpose technology in history, yet adoption remains uneven. As the data illustrates, adoption in the Global North is accelerating faster than in the Global South. Differences in infrastructure, access to tools, and digital readiness all contribute to a growing divide between higher-income and lower-income economies.

This graphic from the 2025 AI Diffusion Report reinforces a clear insight: access to AI alone is not enough. For communities to participate meaningfully in the digital and AI era, connectivity must be paired with reliable energy, affordable devices, digital skills, and technologies designed for real-world use. Where these conditions exist, adoption follows. In Zambia, for example, country-wide generative AI adoption is 12 percent, but among those with internet access, it rises to 34 percent.

Deepening Microsoft’s approach to digital access

Building on what we have learned, Microsoft is advancing a more holistic digital access model that recognizes connectivity as only one part of a broader system. In practice, this means collaboration to deliver not only internet access but also more reliable energy infrastructure, access to water where relevant, devices, digital skills, and cloud and AI tools, all designed and deployed for the communities they serve. By working across organizations and governments to address these foundational needs in parallel, this approach helps ensure that digital access is usable, durable, and capable of supporting real-world outcomes.

A central focus of this work is community-based access models that are financially sustainable, scalable, and aligned with national development priorities. These models bring together local institutions such as schools, health facilities, cooperatives, and community hubs and are implemented in partnership with governments, businesses, nonprofits, and development finance organizations. By integrating infrastructure, enablement, and financing from the outset, these holistic programs can help unlock long-term investment, support responsible growth, and enable communities to fully participate in the digital and AI economy.

Digital access directly complements Microsoft’s Community First AI Infrastructure approach by providing the foundation that enables AI to be adopted, used, and trusted by communities everywhere.

Partnering to deliver impact at scale

Progress at this scale is only possible through strong partnerships rooted in local delivery, community trust, and long-term sustainability. Microsoft’s work to extend connectivity to more than 299 million people has been built alongside partners who understand the realities of last-mile deployment and digital adoption.

In Africa, Microsoft works with partners such as Cassava Technologies to expand regional digital infrastructure and drive high-quality internet access across South Africa, Malawi, Kenya, and Zambia. Collaborations with local providers like Tizeti deliver affordable, reliable connectivity through solar-powered Wi-Fi networks across Nigeria and Ghana.

In Latin America, Microsoft’s partnership with Anditel focuses on expanding internet and energy access for rural and agrarian communities in Colombia through locally led models aligned with national priorities. In India, Microsoft works with AirJaldi to pair affordable connectivity with digital skills training and practical pathways for use, helping communities move beyond basic access toward meaningful adoption.

These partnerships made reaching the 250 million milestone possible. They also reflect a principle that continues to guide our work. Lasting digital access is built with communities, not for them.

Expanding the portfolio: Collaboration with Starlink

Building on this foundation, Microsoft continues to expand and diversify its portfolio to reach communities where traditional infrastructure alone cannot meet demand.

Through our collaboration with Starlink, Microsoft is combining low-Earth orbit satellite connectivity with community-based deployment models and local ecosystem partnerships. This is intended to expand the set of tools available to deliver digital access while remaining firmly embedded in a holistic, partnership-driven approach.

Kenya offers an early example of this model in practice. Working with Starlink and local internet service provider Mawingu Networks, Microsoft is supporting connectivity for 450 community hubs across rural and underserved regions, including farmer cooperatives, aggregation centers, and digital hubs. These deployments combine satellite connectivity with digital skills, tools, and ecosystem coordination to support agricultural productivity, access to markets, and adoption of digital and AI-enabled services.

Beyond 250 million: Building AI-ready communities

Surpassing the 250 million connectivity milestone is a moment to celebrate. It is also a starting point for what comes next.

The next chapter of Microsoft’s digital access work is planned to focus on ensuring that access translates into adoption, use, and long-term opportunity. By continuing to partner with governments, development finance institutions, nonprofits, and private-sector partners, and by expanding into energy access, financing mechanisms, and community-first AI solutions, Microsoft is working to ensure that everyone, everywhere, can participate in the digital and AI economy.

The post Celebrating 250 million: Empowering communities to enable the global AI economy appeared first on Microsoft On the Issues.

Stryker was targeted by the Handala group, which claims to have wiped more than 200,000 of the company’s devices.

The post MedTech Giant Stryker Crippled by Iran-Linked Hacker Attack appeared first on SecurityWeek.

The cybercriminals have leaked more than 300GB of files allegedly stolen from the tire giant.

The post Michelin Confirms Data Breach Linked to Oracle EBS Attack appeared first on SecurityWeek.

The cyberattack disrupted information and booking systems and lasted for several hours. 

The post German Rail Giant Deutsche Bahn Hit by Large-Scale DDoS Attack appeared first on SecurityWeek.

The post A milestone achievement in our journey to carbon negative appeared first on Microsoft On the Issues.

The malware has been preinstalled on many devices but it has also been distributed through Google Play and other app stores.

The post New Keenadu Android Malware Found on Thousands of Devices appeared first on SecurityWeek.

The vulnerability added to CISA’s KEV catalog affects ThreatSonar Anti-Ransomware and it was patched in 2024.

The post CISA: Hackers Exploiting Vulnerability in Product of Taiwan Security Firm TeamT5 appeared first on SecurityWeek.

GTIG and Mandiant said the zero-day tracked as CVE-2026-22769 has been exploited by UNC6201 since at least 2024.

The post Dell RecoverPoint Zero-Day Exploited by Chinese Cyberespionage Group appeared first on SecurityWeek.

Microsoft announces at the India AI Impact Summit it is on pace to invest USD $50 billion by the end of the decade to help bring AI to countries across the Global South  

Artificial intelligence is diffusing at an impressive speed, but its adoption around the world remains profoundly uneven. As Microsoft’s latest AI Diffusion Report shows, AI usage in the Global North is roughly twice that of the Global South. And this divide continues to widen. This disparity impacts not only national and regional economic growth, but whether AI can deliver on its broader promise of expanding opportunity and prosperity around the world.

The India AI Impact Summit rightly has placed this challenge at the center of its agenda. For more than a century, unequal access to electricity exacerbated a growing economic gap between the Global North and South. Unless we act with urgency, a growing AI divide will perpetuate this disparity in the century ahead.

Solutions will not come easily. The needs are multifaceted, and will require substantial investments and hard work by governments, the private sector, and nonprofit organizations. But the opportunity is clear. If AI is deployed broadly and used well by a young and growing population, it offers a real prospect for catch-up economic growth for the Global South. It might even provide the biggest such opportunity of the 21^st century.

As a company, we are committed to playing an ambitious and constructive role in supporting this opportunity. This week in Delhi, we’re sharing that Microsoft is on pace to invest $50 billion by the end of the decade to help bring AI to countries across the Global South. This is based on a five-part program to drive AI impact, consisting of the following:

• Building the infrastructure needed for AI diffusion
• Empowering people through technology and skills for schools and nonprofits
• Strengthening multilingual and multicultural AI capabilities
• Enabling local AI innovations that address community needs
• Measuring AI diffusion to guide future AI policies and investments

One thing that is clear this week at the summit in India is that success will require many deep partnerships. These must span borders and bring people and organizations together across the public, private, and nonprofit sectors.

1. Building the infrastructure needed for AI diffusion

Infrastructure is a prerequisite for AI diffusion, requiring reliable electricity, connectivity, and compute capacity. To help address infrastructure gaps and support the growing needs of the Global South, Microsoft has steadily increased its investments in AI-enabling infrastructure across these regions. In our last fiscal year alone, Microsoft invested more than  $8 billion in datacenter infrastructure serving the Global South. This includes new infrastructure in India, Mexico, and countries in Africa, South America, Southeast Asia, and the Middle East.

We’re coupling our investments in datacenters with an ambitious effort to help close the Global South’s connectivity divide. We’ve been pursuing aggressively a global goal to extend internet access to 250 million people in unserved and underserved communities in the Global South, including 100 million people in Africa.

As we announced in November, we’ve already reached 117 million people across Africa through partnerships with organizations such as Cassava Technologies, Mawingu, and others that are building last‑mile networks across rural and urban communities alike. We’re closing in on our global goal of reaching 250 million people and will share an update on that progress soon.

We’re investing in AI infrastructure with sensitivity to digital sovereignty needs. We recognize that in a fragmented world, we must offer customers attractive choices for the use of our offerings. This includes sovereign controls in the public cloud, private sovereign offerings, and close collaboration with national partners.

We pursue all this with commitments to protect cybersecurity, privacy, and resilience. In the age of AI, we ensure that our customers’ AI-based innovations and intellectual property remain in their hands and under their control, rather than being transferred to AI providers.

Critically, we balance our focus on national sovereignty with our efforts to support digital trust and stability across borders. The Global South requires enormous investments to fund infrastructure for datacenters, connectivity, and electricity. It is difficult to imagine meeting all these needs without foreign direct investment, including from international technology firms.

This need is part of what informed our announcement last week at the Munich Security Conference of the new Trusted Tech Alliance. This new partnership brings together 16 leading technology companies from 11 countries and four continents. We’ve agreed together that we will adhere to five core principles designed to ensure trust in technology. Ultimately, we believe the Global South—as well as the rest of the world—needs both to protect its digital sovereignty and benefit from new investments and the best digital innovations the world has to offer.

2. Empowering people through technology and skills for schools and nonprofits

Ultimately, datacenters, connectivity, and electricity provide only part of the digital infrastructure a nation needs. History shows that the ability to provide access to technology and technology skills are equally important for economic development.

As a company, we’re focused on this in multiple ways. One critical aspect of our work is based on programs to provide cloud, AI, and other digital technologies to schools and nonprofits across the Global South. Another is our work to advance broad access to AI skills. In our last fiscal year, Microsoft invested more than $2 billion in these programs in the Global South. This includes direct financial grants, technology donations, skilling programs, and below-market product discounts.

AI skills are foundational to ensuring that AI expands opportunity and enables people to pursue more impactful real-world applications. With the launch of Microsoft Elevate in July, we committed to helping 20 million people in and beyond the Global South earn in-demand AI skilling credentials by 2028. After training 5.6 million people across India in 2025, we advanced this work by setting a goal last December to equip 20 million people in India with essential AI skills by 2030.

As part of that commitment, today we are announcing the launch of Elevate for Educators in India to strengthen the capacity of two million teachers across more than 200,000 schools, vocational institutes, and higher education settings. Our goal is to help the country’s teaching workforce lead confidently in an AI‑driven future. The program will be delivered in partnership with India’s national education and workforce training authorities, expanding equitable AI opportunities for eight million students.

Through Microsoft Elevate, we’re also working to introduce new educator credentials and a global professional learning community that enables teachers to share best practices with peers worldwide. This effort will involve large-scale capacity building initiatives, including AI Ambassadors, Educator Academies, AI Productivity Labs, and Centers of Excellence. It will equip 25,000 institutions with inclusive AI infrastructure while integrating AI learning pathways into major government platforms.

3. Strengthening multilingual and multicultural AI capabilities

Language is another major barrier to AI diffusion across the Global South, particularly in regions where digitally underrepresented languages prevail and access to essential services depends on local-language communication. For billions of people worldwide, AI systems perform less consistently in the languages they rely on most than in English.

That’s why we’re announcing this week new steps to increase our investments across the AI lifecycle, from data and models to evaluation and deployment, to strengthen multilingual and multicultural capabilities and support more inclusive AI systems that will better serve the Global South.

First, we’re investing upstream in language data and model capability. This includes support for LINGUA Africa, which builds on what we learned through LINGUA Europe: that investing in language data and model capability in partnership with local communities can materially improve AI performance for underrepresented languages.

Through LINGUA Africa—a $5.5 million open call led by the Masakhane African Languages Hub, Microsoft’s AI for Good Lab, and the Gates Foundation, with additional support from the UK government—we are prioritizing open, responsibly sourced data across text, speech, and vision as well as use-case-driven AI model development. By enabling African languages in high-impact sectors like education, food security, health, and government services, LINGUA Africa aims to ensure AI advances translate into tangible improvements in people’s daily lives.

Second, we’re advancing multilingual and multicultural evaluation tools. We’re helping expand the MLCommons AILuminate benchmark to include major Indic and Asian languages, enabling more reliable measurement of AI safety and security beyond English.

Today, even when automated evaluation tools expand language coverage, they too often rely on machine translation or English-first model behavior, with predictable failures when local expressions shift meaning. Partnering with academic and government institutions in India, Japan, Korea, and Singapore, and with industry, Microsoft is co-leading AILuminate’s multilingual, multicultural, and multimodal expansion that builds from the ground up. With a pilot dataset of 7,000 high-quality text-and-image prompts for Hindi, Tamil, Malay, Japanese, and Korean, we’re developing tools that reflect how risks manifest in local linguistic and cultural contexts, not just how they appear after translation.

Microsoft Research is also advancing Samiksha, a community-centered method for evaluating AI behavior in real-world contexts, in collaboration with Karya and The Collective Intelligence Project in India. Samiksha encodes local language use, culturally specific communication norms, and locally relevant use cases directly into core testing artifacts by surfacing failure modes that English-first evaluations routinely miss.

Finally, we’re working to scale content provenance for linguistic diversity. For trusted AI deployment, the ecosystem benefits from tools to identify the provenance of digital content like images, audio, or video, distinguishing whether it’s AI-generated. With partners in the Coalition for Content Provenance and Authenticity (C2PA), Microsoft is helping extend content provenance standards beyond an English-ready baseline. This includes forthcoming support for multiple Indic languages across metadata, specifications, and UX guidance, alongside efforts to support mobile-first deployment. With these investments, hundreds of millions more people in India will be better equipped to identify synthetic media in their primary language.

4. Enabling local AI innovations that address community needs

As India’s guiding sutras for the AI Impact Summit recognize, AI must be applied to address pressing challenges in collaboration with people and organizations in the Global South. Microsoft’s increasing investments prioritize locally defined problems, locally grounded expertise, and real-world impact. Our goal is straightforward: to ensure that AI solutions are not only technically sound, but socially relevant and sustainable.

Today, Microsoft is announcing a new AI initiative to strengthen food security across Sub-Saharan Africa, starting in Kenya and designed to scale across the region. Across Global South communities, food security and sustainable agriculture are critical to resilience and progress. In collaboration with NASA Harvest, the government of Kenya, the East Africa Grain Council, UNDP AI Hub for Sustainable Development, and FAO, our AI for Good Lab will use AI on top of satellite data to provide critical, timely food security insights. This builds on what we’ve learned in helping to address rice farming challenges in India, where severe groundwater depletion prompted 150,000 farmers in Punjab to adopt water-saving methods. In collaboration with The Nature Conservancy, Microsoft’s AI for Good Lab developed a classification system with satellite imagery to empower policymakers to track adoption of sustainable rice farming practices, target interventions, and measure water management impacts at scale.

Through Project Gecko, Microsoft Research is also co-designing AI technologies with local communities in East Africa and South Asia to support agriculture. This work includes the Paza family of automatic speech recognition models that can operate on mobile devices across six Kenyan languages, multilingual Copilots, and a Multimodal Critical Thinking (MMCT) Agent that can reason over community-generated video, voice, and text. Microsoft also launched PazaBench—the first automatic speech recognition leaderboard, with initial coverage of 39 African languages—and developed two playbooks for multilingual and multicultural capabilities, Paza and Vibhasha. Likewise, our AI for Good Lab developed a reproducible pipeline for adapting open-weight large language models to low-resource languages, demonstrating measurable gains for languages such as Chichewa, Inuktitut, and Māori.

5. Measuring AI diffusion to guide future AI policies and investments

Finally, accelerating diffusion requires a firm understanding of where AI is being used, how it is being adopted, and where gaps persist. Building on our AI Diffusion Reports and Microsoft GitHub’s long track record of contributing to the OECD AI Policy Observatory, the WIPO Global Innovation Index, and other cross‑country analyses, we’re increasing our investments in research and data sharing to track AI diffusion.

We’re advancing new methods for sharing AI adoption metrics. For example, based on models used in public code repositories hosted on Microsoft GitHub and privacy-preserving aggregated usage signals from Azure Foundry, we’re scaling this work through contributions to the forthcoming Global AI Adoption Index developed by the World Bank.

Signals from the global developer community that builds, adapts, and deploys AI-enabled software round out adoption research. At 24 million, the Indian developer community is the second largest national community on GitHub, where developers learn about and collaborate with the world on AI. The Indian community is also the fastest growing among the top 30 largest economies, with growth at more than 26 percent each year since 2020 and a recent surge of over 36 percent in annual growth as of Q4 2025. Indian developers rank second globally in open-source contributions, second in GitHub Education users, and second in contributions to public generative AI projects, with readiness to use tools like GitHub Copilot across academic, enterprise, and public interest settings enabling AI diffusion.

Insights from this evidence base help inform investments in infrastructure, language capabilities, skilling, or beyond, supporting more targeted and effective interventions to expand AI’s benefits. They also create a common empirical baseline to track progress over time—so AI diffusion becomes something we can measure and shape, not just observe.

Sustaining impact at scale through coordinated global action

For AI to diffuse broadly and deliver meaningful impact across regions, several conditions matter. As a company, we are focused on the need for accessible AI infrastructure, systems that work reliably in real-world contexts, and technologies that can be applied toward local challenges and opportunities. Microsoft is committed to working with partners to advance this work, including sharing data to track progress.

The post We need to act with urgency to address the growing AI divide appeared first on Microsoft On the Issues.

Researchers at ETH Zurich have tested the security of Bitwarden, LastPass, Dashlane, and 1Password password managers.

The post Password Managers Vulnerable to Vault Compromise Under Malicious Server appeared first on SecurityWeek.

Luxury brands were among the dozens of major companies whose Salesforce instances were targeted by Scattered LAPSUS$ Hunters.

The post Dior, Louis Vuitton, Tiffany Fined $25 Million in South Korea After Data Breaches appeared first on SecurityWeek.

CISA is currently operating at roughly 38% capacity (888 out of 2,341 staff) due to the DHS shutdown that began February 14, 2026.

The post CISA Navigates DHS Shutdown With Reduced Staff appeared first on SecurityWeek.

A Chrome 145 update fixes CVE-2026-2441, a vulnerability that can likely be exploited for arbitrary code execution.

The post Google Patches First Actively Exploited Chrome Zero-Day of 2026 appeared first on SecurityWeek.

With more than 37 million combined downloads, the extensions expose users to tracking and personal information theft.

The post Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data appeared first on SecurityWeek.

Blogs

Blog

The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs

In this post, we explore how the psychological traps of operational security can unmask even the most sophisticated actors.

SHARE THIS:

Flashpoint

February 13, 2026

Table Of Contents

Table of Contents

Leveraging OPSEC as a Mindset

Leveraging the Mindset for CTI

Turn the Tables Using Flashpoint

More

2026 Global Threat Intelligence Report

Download Now

The threat intelligence landscape is often dominated with talks of sophisticated TTPs (tactics, tools, and procedures), zero-day vulnerabilities, and ransomware. While these technical threats are formidable, they are still managed by human beings, and it is the human element that often provides the most critical breakthroughs in attributing these attacks and de-anonymizing the threat actors behind them.

In our latest webinar, “OPSEC Fails: The Secret Weapon for People-Centric OSINT”,  Flashpoint was joined by Joshua Richards, founder of OSINT Praxis. Josh shared an intriguing case study where an attacker’s digital breadcrumbs led to a life-saving intervention. 

Here is how OSINT techniques, leveraged by Flashpoint’s expansive data capabilities, can dismantle illegal threat actor campaigns by turning a technical investigation into a human one.

Leveraging OPSEC as a Mindset

In a technical context, OPSEC is a risk management process that identifies seemingly innocuous pieces of information that, when gathered by an adversary, could be pieced together to reveal a larger, sensitive picture.

In the webinar, we break down the OPSEC mindset into three core pillars that every practitioner, and threat actor, must navigate. When these pillars fail, the investigation begins.

• Analyzing the Signature: Every human has a digital signature, such as the way they type (stylometry), the times they are active, and the tools they prefer.
• Identity Masking & Persona Management: This involves ensuring that your investigative identity has zero overlap with your real life. A common failure includes using the same browser for personal use and investigative research, which allows cookies to bridge the two identities.
• Traffic Obfuscation: Even with a VPN, certain behaviors such as posting on a dark web forum and then using that same connection to check personal banking can expose an IP address, linking it to a practitioner or threat actor.

“Effective OPSEC isn’t about the tools you use; it’s about what breadcrumbs you are leaving behind that hackers, investigation subjects, or literally anyone could find about you.”

Joshua Richards, founder of Osint Praxis

Leveraging the Mindset for CTI

Understanding the OPSEC mindset allows security teams to think like the target. When we know the psychological traps attackers fall in, we know exactly where to look for their mistakes.

Assumption	The Mindset Trap	The Investigative Reality
Insignificant	“I’m not a high-value target; no one is looking for me.”	Automated Aggression: Hackers use scripts to scan millions of accounts. You aren’t “chosen”; you are “discovered” via automation.
Invisible	“I don’t have a LinkedIn or X account, so I don’t have a footprint.”	Shadow Data: Public birth records, property taxes, and historical data breaches create a footprint you didn’t even build yourself.
Invincible	“I have 2FA and complex passwords; I’m unhackable.”	Session Hijacking: Infostealer malware steals “session tokens” (cookies). This allows an actor to be you in a browser without ever needing your 2FA code.

During the webinar, Joshua shares a masterclass in how leveraging these concepts can turn a vague dark web threat into a real-world arrest. Check out the on-demand webinar to see exactly how the investigation started on Torum, a dark web forum, and ended with an arrest that saved the lives of two individuals.

Turn the Tables Using Flashpoint

The insights shared in this session powerfully illustrate that even the most dangerous threat actors are rarely as anonymous as they believe. Their downfall isn’t usually a failure of their technical prowess, but a failure of their mindset. By understanding these OSINT techniques, intelligence practitioners can transform a sea of digital noise into a clear path toward attribution.

The most effective way to dismantle threats is to bridge the gap between technical indicators and human behavior. Whether your teams are conducting high-stakes OSINT or protecting your own organization’s digital footprint, every breadcrumb counts. By leveraging Flashpoint’s expansive threat intelligence collections and real-time data, you can stay one step ahead of adversaries. Request a demo to learn more.

The post The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs appeared first on Flashpoint.

Impacting the ‘dyld’ system component, the memory corruption issue can be exploited for arbitrary code execution.

The post Apple Patches iOS Zero-Day Exploited in ‘Extremely Sophisticated Attack’ appeared first on SecurityWeek.