Although it has been reported that Iran played an active role in planning the October 7 attack on Israel, Microsoft data tells a different part of the story. Observations from our telemetry suggest that, at least in the cyber domain, Iranian operators have largely been reactive, exploiting opportunities to take advantage of events on the ground as they unfold. This presentation will compare and contrast activity attributed to Iranian groups before and after October 7, highlighting a number of instances where operators leveraged existing access, infrastructure, and tooling, ostensibly to meet new objectives.
