Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations
هاكرز تابعين لإيران كيشنو هجوم واسع ديال "Password-Spraying" ضد بيئات Microsoft 365 فإسرائيل
Iran-Nexus Threat Actors Launch Massive Password-Spraying Campaign Against Israeli Microsoft 365 Environments
TL;DR
An Iranian-linked threat actor is currently conducting a wide-scale password-spraying campaign targeting over 300 organizations in Israel and 25 in the U.A.E. The attack, which focuses on Microsoft 365 cloud environments, utilizes Tor exit nodes and commercial VPNs to bypass defenses and exfiltrate sensitive data.
Amidst escalating regional tensions, a sophisticated Iran-nexus threat actor has launched a series of aggressive cyberattacks targeting Microsoft 365 (M365) environments. According to a recent report from Check Point, the campaign has primarily focused on infrastructure within Israel and the United Arab Emirates, though impacts have been felt globally.
The Anatomy of the Attack
The ongoing campaign has unfolded in three distinct waves, occurring on March 3, March 13, and March 23, 2026. By utilizing "password spraying"—a technique where an attacker tries a single common password against a vast list of usernames—the actors aim to find weak credentials without triggering traditional account lockout or rate-limiting defenses.
Scope and Targets
The scale of the operation is significant:
- Israel: 300+ organizations targeted.
- U.A.E.: 25+ organizations targeted.
- Global Reach: Limited activity has also been detected in the United States, United Kingdom, Saudi Arabia, and Europe.
Sector targets include government entities, municipalities, technology firms, transportation hubs, energy sector organizations, and various private-sector companies.
Technical Similarities to Known Actors
Check Point’s analysis suggests the campaign shares characteristics with Gray Sandstorm (formerly known as DEV-0343). This group, alongside Peach Sandstorm, has a history of using similar tactics to infiltrate target networks.
The attack lifecycle typically follows three phases:
- Scanning and Spraying: Executed via Tor exit nodes to mask the attacker's origin.
- Authentication: Attempting the login process using discovered credentials.
- Exfiltration: Accessing and stealing sensitive data, specifically mailbox content.
The threat actors were also observed using commercial VPN nodes (specifically AS35758), a tactic that aligns with recent documented Iran-nexus operations in the Middle East.
The Revival of Pay2Key and New Ransomware Threats
This campaign coincides with a resurgence of Pay2Key, an Iranian ransomware-as-a-service (RaaS) group linked to the "Fox Kitten" ensemble. In late February 2026, Pay2Key targeted a U.S. healthcare organization using an upgraded variant of their malware.
Key findings regarding recent Pay2Key activity include:
- Evasion Tactics: The group now uses improved anti-forensics, including clearing logs at the end of an execution to wipe traces of the ransomware itself.
- Incentives: The group has reportedly increased the affiliate cut of ransom proceeds from 70% to 80% for attacks targeting "enemies of Iran."
- Linux Capability: A Linux variant of Pay2Key has surfaced, capable of disabling SELinux and AppArmor to ensure full system encryption.
Furthermore, reports indicate the rise of Baqiyat 313 Locker (BQTlock), a pro-Palestinian and pro-Iranian ransomware that has been targeting the U.S., Israel, and the U.A.E. since mid-2025.
Defensive Recommendations
To mitigate the risk of password spraying and subsequent data exfiltration, organizations are urged to implement several critical security controls:
- Enforce Multi-Factor Authentication (MFA): This remains the single most effective defense against credential-based attacks.
- Conditional Access: Limit authentication requests to approved geographic locations to block attempts coming from unusual regions.
- Monitor Sign-in Logs: Look for high volumes of failed login attempts across multiple accounts coming from Tor or known VPN exit nodes.
- Enable Detailed Auditing: Ensure M365 audit logs are active to facilitate thorough post-compromise investigations if a breach occurs.
Conclusion
As state-sponsored operations increasingly blur the lines between criminal extortion and strategic sabotage, cloud environments remain a primary frontline. The scale of this campaign—targeting hundreds of organizations simultaneously—highlights the persistent threat posed by Iran-linked groups who continue to refine their toolsets for both espionage and disruption.
Source: https://thehackernews.com/2026/04/iran-linked-password-spraying-campaign.html
