Saher Naumaan

Saher Naumaan is a Senior Threat Researcher on the espionage team at Proofpoint. She currently researches state-sponsored cyber operations with a focus on hunting threat groups and activity originating from Iran and North Korea. She also guest lectures in the Department of War Studies at King’s College London. Prior to Proofpoint, Saher was a Principal Threat Intelligence Analyst at BAE Systems Digital Intelligence.

‍

Talk: Wartime Signals: What Iranian Phishing Reveals About Cyber Operations in Conflict [TLP:AMBER+STRICT]

In any conflict setting, cyber operations are often assumed to scale in parallel with kinetic activity, with expectations of disruptive attacks, critical infrastructure targeting, and coordinated influence campaigns. While this can be accurate at times, the constant hype and pressure for answers can also cloud the reality, lead to analytical bias, and draw premature conclusions. The US-Israel-Iran war that began on 28 February 2026 created expectations for Iranian retaliatory response. After kinetic strikes, a domestic internet shutdown, elimination of senior leadership, and regional military escalation, cyberattacks must be next. However, beyond public incidents or claims, what does the data tell us? Based on sightings of Iranian phishing activity after the conflict began - and a comparison with campaigns in the months prior - we can attempt to discern what changed and what didn't; capability vs intention; and the possible effects of resourcing and disruption. An analysis of activity volume, operational tempo and cadence of tracked threat groups, actor affiliation, targeting interests, and TTPs over time can potentially give us insights into priorities of the Iranian government. What does Iranian phishing activity say about the continuity, escalation, or adaptation of Iranian behavior in wartime cyber operations?

‍