NCSC warns UK organisations to review cyber security posture amid Middle East conflict

The UK’s National Cyber Security Centre (NCSC) has urged organisations to review their cyber security posture in light of the evolving conflict in the Middle East. While the NCSC currently assesses that there has been no significant increase in the direct cyber threat from Iran to the UK, the situation remains fluid and could change quickly as events develop.

The agency warns that the likelihood of indirect cyber threats may rise, particularly for organisations with operations, offices or supply chains linked to the region. Iranian state-linked actors and affiliated hacktivist groups are known to retain cyber capabilities and could launch disruptive activity against organisations perceived to be connected to opposing interests.

The NCSC advises organisations to review existing guidance on DDoS attacks, phishing campaigns and potential attempts to target industrial control systems. Businesses with exposure to the region should consider increasing monitoring, reassessing their external attack surface and signing up to the NCSC Early Warning service to receive alerts on emerging security issues.

Surge in hacktivist cyber activity linked to Middle East conflict

Cybersecurity researchers are warning of a sharp increase in hacktivist activity following the U.S. and Israel’s coordinated military campaign against Iran, known as Operation Epic Fury and Roaring Lion. Security analysts report that cyber operations have escalated alongside the physical conflict, with multiple groups launching disruptive campaigns targeting government infrastructure, financial institutions and telecommunications providers.

According to Radware, at least 149 hacktivist DDoS attacks were claimed between 28 February and 2 March, targeting 110 organisations across 16 countries. Two groups, Keymous+ and DieNet, were responsible for nearly 70% of the activity. Most attacks were concentrated in the Middle East, particularly Kuwait, Israel and Jordan, though Europe accounted for more than 22% of global activity. Nearly half of all targets were government organisations.

Security researchers also report activity from state-aligned threat actors and pro-Iran cyber groups, including campaigns involving phishing, malware distribution and attempted intrusions into energy and digital infrastructure. Analysts warn that cyber operations tied to geopolitical tensions often blend disruption, espionage and psychological influence, increasing the likelihood of further attacks against governments, critical infrastructure and private sector organisations worldwide.

Europol operation disrupts major phishing-as-a-service platform

An international law enforcement operation coordinated by Europol has disrupted Tycoon2FA, a large phishing-as-a-service (PhaaS) platform responsible for sending tens of millions of phishing emails each month. As part of the coordinated action, authorities seized and took offline 330 domains used by the criminal service, including phishing pages and backend control panels.

The technical disruption was led by Microsoft with support from several private sector partners, while law enforcement agencies in Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom carried out infrastructure seizures. The investigation began after threat intelligence was shared by Trend Micro and coordinated through Europol’s cybercrime networks.

Active since at least August 2023, Tycoon2FA enabled cybercriminals to bypass multi-factor authentication protections by using an adversary-in-the-middle phishing technique. The platform intercepted login credentials and session cookies in real time, allowing attackers to hijack authenticated sessions for services such as Microsoft 365 and Gmail.

Sold through Telegram subscriptions, the service lowered the barrier for cybercriminals to launch sophisticated MFA-bypassing attacks against organisations worldwide.

Attackers abuse OAuth redirects to bypass phishing protections

Security researchers have uncovered a phishing technique that abuses legitimate OAuth redirection mechanisms to bypass email and browser protections. The attacks primarily target government and public sector organisations, using phishing emails that appear to contain legitimate authentication requests.

The messages often impersonate common business communications such as e-signature requests, Social Security notifications, meeting invitations, password resets or financial updates. In some cases, the malicious OAuth links are embedded within PDF files to evade detection by security tools.

According to Microsoft Defender researchers, attackers register malicious OAuth applications within tenants they control and configure redirect URLs pointing to attacker infrastructure. When victims interact with the authentication request, manipulated parameters trigger authentication errors that silently redirect users to malicious sites.

Some victims are sent to phishing pages powered by attacker-in-the-middle frameworks capable of intercepting session cookies and bypassing multi-factor authentication. Others are redirected to download malicious files that deploy malware through PowerShell and DLL side-loading techniques, highlighting how identity-based attack methods are evolving.

Ransomware and OT cyber incidents surge across maritime sector

A new report from Cydome highlights a sharp increase in cyber threats targeting operational technology (OT) systems in the maritime sector. Ransomware attacks against maritime OT environments rose by 150% in 2025, while attacks on network edge devices such as routers, VPNs and firewalls increased by 800%. The report also noted that 22% of organisations experienced an OT or industrial control systems (ICS) incident during the year, with many attacks beginning through unauthorised external access.

Modern shipping operations are becoming increasingly connected through satellite communications and IoT sensors, transforming vessels from isolated systems into part of a global digital network. This shift has significantly expanded the attack surface for cybercriminals. The report also warns of a dramatic rise in GPS spoofing incidents, with around 1,000 disruptions reported daily, affecting approximately 40,000 vessels and raising serious safety concerns.

Researchers say artificial intelligence is rapidly changing the cyber threat landscape. AI-assisted phishing, identity fraud and automated vulnerability discovery are accelerating the speed and scale of attacks. With nearly 50,000 new vulnerabilities disclosed in 2025 and many weaponised within days, organisations are being urged to strengthen OT visibility, improve patch management and secure remote access infrastructure to protect critical maritime operations. 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.