An Iranian-linked threat actor is suspected of conducting a password-spraying campaign aimed at Microsoft 365 environments in Israel and the United Arab Emirates (U.A.E.), coinciding with ongoing regional tensions. This campaign, assessed to be ongoing, unfolded in three distinct waves on March 3, March 13, and March 23, 2026, according to cybersecurity firm Check Point.
Scope of the Attack
The campaign has impacted over 300 organizations in Israel and more than 25 in the U.A.E., primarily targeting government entities, municipalities, and private-sector companies in sectors such as technology, transportation, and energy. Additionally, similar activity was noted against a limited number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia.
Password Spraying Technique
Password spraying is a brute-force attack method where a single common password is attempted across multiple usernames within the same application. This technique is considered effective for identifying weak credentials at scale while minimizing the risk of triggering security defenses. Check Point noted that Iranian hacking groups, including Peach Sandstorm and Gray Sandstorm (formerly known as DEV-0343), have previously employed this method.
Attack Phases and Techniques
The campaign comprises three phases: aggressive scanning or password-spraying from Tor exit nodes, followed by login attempts, and finally, the exfiltration of sensitive data, such as mailbox content. Analysis of Microsoft 365 logs revealed similarities to the methods used by Gray Sandstorm, including the employment of red-team tools via Tor exit nodes. The threat actor also utilized commercial VPN nodes associated with Iranian operations.
Recommended Mitigations
To mitigate the risks posed by this campaign, organizations are advised to monitor sign-in logs for indications of password spraying, implement conditional access controls to restrict authentication to approved geographic locations, enforce multi-factor authentication (MFA) for all users, and enable audit logs for post-compromise investigations. These measures can help strengthen defenses against such attacks.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
