Wars Don't Stay on the Battlefield
When most people think about the conflict in the Middle East, they think about airstrikes, diplomacy, and humanitarian crises. What they don't think about is their Microsoft 365 tenant.
They should.
Every major geopolitical conflict in the last decade has had a cyber dimension. And in 2025-2026, that dimension has become the primary theater for many state-sponsored actors. Microsoft's 2025 Digital Defense Report documented that nation-state actors are increasingly focused on intelligence collection and manipulation operations — and their favorite entry point is identity infrastructure.
Your Entra ID tenant. Your Global Admin accounts. Your Conditional Access policies. These are now targets in a conflict most IT administrators don't realize they're part of.
The Threat Is Not Theoretical
Let's look at what's actually happening.
Iran Is Expanding Beyond the Middle East
Iranian state-linked hackers have expanded their cyber operations beyond regional targets to include organizations in North America and Europe. Microsoft observed three Iranian state-affiliated actors targeting shipping and logistics firms in Europe and the Persian Gulf — pre-positioning for potential disruption of commercial operations.
Their preferred technique? Brute-force attacks against user accounts to compromise credentials and modify MFA registrations, enabling persistent access. Once they're in your identity layer, they own your tenant.
Palo Alto Networks executives have warned that the Iran conflict will likely trigger an increasing wave of geopolitical cyberattacks, with nation-state actors deploying cyber "sidearms" alongside conventional operations.
Russia Is Targeting NATO-Aligned Organizations
While still focused on Ukraine, Russian state-affiliated actors have expanded their targeting. The top ten countries most affected by Russian cyber activity outside of Ukraine now all belong to NATO — a 25% increase compared to the previous year.
The attack methods are sophisticated and identity-focused:
- Storm-2372 and APT29 have been documented using device code phishing to compromise Microsoft 365 accounts in government, think tanks, higher education, and transportation sectors
- APT28 exploited a Microsoft Office zero-day (CVE-2026-21509) to deploy MiniDoor and PixyNetLoader malware
- Midnight Blizzard famously compromised Microsoft's own corporate environment through a password spray attack on a test account that didn't have MFA enabled — then escalated through a legacy OAuth application to access executive mailboxes
The Numbers Are Stark
According to Microsoft's threat intelligence:
- More than 97% of identity attacks are password attacks
- Identity-based attacks surged by 32% in the first half of 2025
- Over half of all cyberattacks with known motives were driven by extortion or ransomware
- Google linked China, Iran, Russia, and North Korea to coordinated defense sector cyber operations in early 2026
This isn't a future risk. It's happening now, to organizations like yours.
Why Identity Is the Battlefield
Traditional cyberattacks targeted networks. Modern attacks target identity.
The shift makes sense. Why try to breach a firewall when you can simply log in? A compromised Global Admin account gives an attacker everything:
| Traditional Attack | Identity Attack |
|---|---|
| Exploit network vulnerability | Phish a credential |
| Move laterally through servers | Elevate privileges through Entra ID |
| Exfiltrate data via malware | Read mailboxes via legitimate API |
| Hard to maintain persistence | Modify MFA, create OAuth apps, persist invisibly |
State-sponsored actors have learned this lesson. Midnight Blizzard didn't hack into Microsoft through a zero-day exploit. They brute-forced a password on an account without MFA, then leveraged legitimate OAuth permissions to access what they wanted. The tools they used were the tools Microsoft provides — just with stolen credentials.
Your tenant is vulnerable to the exact same playbook.
What You Must Do Right Now
This isn't a list of nice-to-haves. These are urgent hardening actions that every Microsoft 365 administrator should complete within the next two weeks. The threat environment demands it.
1. Eliminate Standing Global Admin Access
If you have more than two accounts with permanent Global Admin privileges, you're carrying unnecessary risk. State-sponsored actors specifically hunt for over-privileged accounts.
Action: Implement Privileged Identity Management (PIM) for just-in-time access. No standing admin should have permanent Global Admin. Require approval workflows and time-limited elevation.
If you don't have Entra ID P2 licensing, at minimum create dedicated admin accounts that are separate from daily-use accounts, and enforce phishing-resistant MFA on every one of them.
2. Enforce Phishing-Resistant MFA Everywhere
Standard MFA is not enough. SMS codes can be SIM-swapped. Push notifications can be fatigue-attacked. The actors targeting your tenant know how to bypass basic MFA.
Action: Deploy FIDO2 security keys or passkeys for all privileged accounts. At minimum, require Microsoft Authenticator with number matching for all users. Block legacy authentication protocols entirely — these protocols cannot support MFA at all and are the first thing attackers probe.
CISA's SCuBA baselines specifically require blocking legacy protocols and enforcing phishing-resistant MFA. If it's good enough for federal agencies, it's good enough for your organization.
3. Audit Your OAuth Application Permissions
The Midnight Blizzard attack on Microsoft escalated through a legacy OAuth application with elevated permissions. Most tenants have dozens of OAuth apps with permissions that nobody has reviewed in months — or ever.
Action: Go to Entra ID > Enterprise Applications and review every application with one of these permissions:
- Mail.Read or Mail.ReadWrite (can read all mailboxes)
- Directory.ReadWrite.All (can modify your entire directory)
- Application.ReadWrite.All (can create more OAuth apps)
- RoleManagement.ReadWrite.Directory (can assign admin roles)
Remove any application that doesn't have a clear business justification. Revoke admin consent for anything suspicious. This is the backdoor that nation-state actors love.
4. Review Conditional Access for Gaps
A Conditional Access policy with exceptions is a Conditional Access policy with holes. State-sponsored actors specifically look for:
- Service accounts excluded from MFA requirements
- Break-glass accounts without monitoring
- Guest users not subject to device compliance
- Legacy protocols allowed as fallback
Action: Review every Conditional Access policy. Document every exclusion. For each exclusion, ask: "If an attacker exploited this gap, what would they get?" If the answer is "access to our tenant," close the gap.
5. Enable and Monitor Sign-In Risk Policies
Entra ID Protection can detect impossible travel, leaked credentials, and anomalous sign-in patterns — but only if you've enabled it.
Action: Enable sign-in risk policies that block or require MFA for medium and high-risk sign-ins. Enable user risk policies that require password change for high-risk users. These are specifically designed to catch the patterns that state-sponsored actors create.
6. Block Countries You Don't Operate In
If your organization has no employees, partners, or customers in certain high-risk countries, there is no reason to allow authentication from those locations.
Action: Create a named location in Conditional Access that includes countries where your organization has no legitimate business. Block sign-ins from those locations. This is a blunt but effective control that eliminates a huge volume of brute-force and spray attacks.
7. Audit Guest and External Access
External collaboration is a feature. Unmonitored external access is a vulnerability.
Action: Review all guest accounts in your tenant. Remove any that are no longer needed. Ensure remaining guest accounts are subject to the same Conditional Access policies as internal users. Restrict which domains can be invited as guests.
Why Point-in-Time Checks Aren't Enough
Here's the hard truth: doing everything on this list today doesn't protect you tomorrow.
These configurations drift. Someone adds an exclusion to a Conditional Access policy for a "temporary" fix. A new service account gets created without MFA. An OAuth app gets admin consent during a rushed integration. A new admin role gets assigned and never reviewed.
In the Midnight Blizzard attack, the vulnerability was a test account that had been sitting there with excessive permissions and no MFA. It wasn't a failure of initial configuration. It was a failure of continuous monitoring.
CISA recognized this when they mandated that federal agencies not only implement SCuBA baselines but deploy assessment tools to continuously verify that configurations remain compliant. The directive (BOD 25-01) doesn't just say "configure it right." It says "prove it stays right."
This is the principle behind Desired State Configuration: define what your tenant should look like, then continuously evaluate whether it still looks that way. Every deviation is a potential indicator of compromise — or at minimum, an unmanaged risk.
The Bigger Picture
Geopolitical conflicts are not going to become less cyber-intensive. The opposite is true. Every major nation-state actor is investing in identity-focused attack capabilities because they work.
The organizations that will weather this threat environment are not the ones with the highest Secure Score or the most expensive security tools. They're the ones that:
- Know their intended configuration — documented, specific, and aligned to their risk profile
- Detect when reality deviates from intent — not quarterly, not weekly, continuously
- Can trace every change — who changed what, when, and whether it was authorized
- Act on deviations quickly — before an attacker can exploit the gap
This is not optional security hygiene. In a world where your Microsoft 365 tenant is a legitimate target for state-sponsored actors, it is the minimum standard for responsible administration.
Start Today
You don't need to buy anything to start hardening your tenant. The seven actions above use capabilities built into Microsoft 365 and Entra ID. Most can be completed in an afternoon.
What you do need is urgency. The threat actors targeting your identity infrastructure don't wait for your next quarterly security review. They probe continuously, adapt quickly, and exploit the gap between your intended configuration and your actual configuration.
Close the gap. Start today.
Sources
- Microsoft, "Digital Defense Report 2025"
- Microsoft, "Midnight Blizzard: Guidance for Responders on Nation-State Attack"
- Microsoft Security Blog, "Update on Microsoft Actions Following Attack by Nation-State Actor Midnight Blizzard"
- The Hacker News, "Russia-Linked Hackers Use Microsoft 365 Device Code Phishing"
- The Hacker News, "Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations"
- Euronews, "Iran Conflict May Trigger Wave of Geopolitical Cyberattacks"
- CISA, "Finalizes Microsoft 365 Secure Configuration Baselines"
- CISA, "BOD 25-01: Implementing Secure Practices for Cloud Services"
- CISA, "Pro-Russia Hacktivists Conduct Opportunistic Attacks Against U.S. and Global Critical Infrastructure"
- Dark Reading, "Russian Hackers Weaponize Microsoft Office Bug in Just 3 Days"
- CISA, "Microsoft Entra ID SCuBA Baseline"