Randolph Barr Chief Information Security Officer at Cequence says companies and governments need to ensure identity federation (SSO, SAML, OAuth) is hardened and validate that third-party applications only have the minimal access required.

Mr Barr said, “We live in a time where cyberattacks are no longer isolated to the countries directly involved in geopolitical conflict,”

“In the case of Iran, it’s not just about their known cyber capabilities—it’s about the broader network of proxy actors and aligned nations who may view recent U.S. actions as justification for retaliation,”

“This dramatically increases the likelihood that the U.S. and its allies will become targets of cyberwarfare, especially from adversaries seeking to exploit regional instability,” said Barr

“Iran has historically demonstrated a strong capability in cyber operations, often leveraging credential theft, social engineering, and access via federated identity systems,”

“What makes their tactics especially dangerous is their tendency to abuse federated and third-party access—essentially exploiting trusted relationships and integrations to move laterally and persist undetected.” he said.

Microsoft has dubbed cyber threats based from Iran with the code-name “sandstorm”. Tehran has been escalating its digital attacks on critical infrastructure in Israel and other Middle Eastern and Western countries for the past decade.

Iran is ranked alongside Russia, China and North Korea in its capacity to wreak cyber havoc, and Australia is not immune.

The Australian Signals Directorate has warned that Iran-based hackers are “compromising critical infrastructure” using brute force attacks, such as “password spraying” and “multi-factor authentication (MFA) push bombing” to gain access to user accounts and infiltrate corporate and government networks.

Password spraying is when hackers attempt to access a large number of accounts with a few commonly used passwords, while MFA push bombing tricks users into approving log on requests.

Mr Barr said in light of the recent DHS and NYDFS warnings, companies should focus on the following priorities:

• Implement MCP-style continuous session validation: Move beyond one-time authentication and continuously verify trust throughout a session.
  
  
• Simulate geopolitical threat scenarios: Test your incident response and business continuity plans against scenarios involving nation-state tactics, particularly those aligned with Iran’s known behaviours.

“Cyber conflict is no longer theoretical—it’s strategic, targeted, and often masked behind false flags. Companies need to prepare not just for a direct hit, but for sophisticated campaigns that exploit the gaps between identity, access, and trust.”

Cequence Security is uniquely positioned to help organizations defend against these sophisticated threats through API and application-level protection that’s purpose-built for modern attack methods:

• Discover and lock down exposed APIs: Cequence’s API Spyder and API Sentinel solutions automatically discover shadow, deprecated, or undocumented APIs—often the first targets of state-sponsored actors seeking a foothold via unmonitored entry points.
  
  
• Defend against credential stuffing and access abuse: Cequence Bot Defense detects and blocks credential stuffing campaigns in real time, even those masked as legitimate traffic by proxies or human-like automation—a method frequently used by Iranian and proxy actors.
  
  
• Harden federated identity paths through behavioral fingerprinting: Cequence tracks behavioral anomalies across sessions, enabling continuous validation and helping identify misuse of SSO, OAuth, or SAML-based identity systems.
  
  
• Block malicious third-party access and lateral movement: By monitoring and scoring API interactions, Cequence helps security teams detect when a trusted third-party begins acting abnormally—an early signal of lateral movement or compromise via supply chain relationships.
  
  
• Geo-intelligence and reputation-based controls: Cequence incorporates threat intelligence and geo-based risk scoring to throttle or block traffic from regions known to harbor adversarial infrastructure, including those linked to Iranian operations or their proxies.

Simulate geopolitical threat scenarios: Test your incident response and business continuity plans against scenarios involving nation-state tactics, particularly those aligned with Iran’s known behaviours. 

Data from Cequence can enrich tabletop exercises with real-world indicators of compromise, attack patterns, and telemetry from live bot and API abuse attempts