Iran-Linked Hackers Launch Password Spray Campaign Against Microsoft 365
High severity — significant development or major threat actor activity
Basically, hackers are trying to guess passwords to break into Microsoft accounts in the Middle East.
Iran-linked hackers have launched a password spray campaign against Microsoft 365 tenants in the Middle East. Over 300 organizations in Israel and 25 in the UAE are affected. This attack highlights the risks of weak passwords in cloud environments. Organizations must enhance their security measures to mitigate such threats.
What Happened
A new password spray campaign has emerged, targeting Microsoft 365 tenants in the Middle East, particularly focusing on Israel and the United Arab Emirates. This campaign is linked to a threat actor believed to be operating from Iran. Instead of deploying malware, these attackers are exploiting weak passwords and exposed accounts to gain unauthorized access.
The attacks unfolded in three distinct waves on March 3, 13, and 23, 2026, affecting over 300 organizations in Israel and more than 25 in the UAE. Smaller numbers of targets were also identified in Europe, the United States, the United Kingdom, and Saudi Arabia. The targeted entities included government agencies, municipalities, energy companies, and private businesses.
Who's Affected
The primary victims of this campaign are organizations within Israel and the UAE, with a notable focus on Israeli municipalities. The attack’s design suggests a possible connection to broader geopolitical objectives, including support for military operations.
How It Works
Unlike traditional brute-force attacks that target individual accounts, password spraying attempts to access multiple accounts using a few common passwords. This method reduces the likelihood of detection, as it generates less login noise. The attackers utilized numerous source IP addresses, making it difficult for defenders to block their access effectively.
Once valid credentials were identified, the attackers shifted their login attempts to commercial VPN services, which helped them bypass geo-restrictions and minimize alerts related to foreign access. This tactic allowed them to infiltrate sensitive cloud data without raising alarms typically associated with malware.
Tactics & Techniques
The attack cycle can be broken down into three stages:
- Scan: The attackers used Tor exit nodes and disguised their requests to look like legitimate traffic.
- Infiltrate: Upon finding valid credentials, they accessed sensitive information through legitimate accounts.
- Exfiltrate: The attackers then moved into email and cloud storage, gaining access to personal and organizational data.
Defensive Measures
Organizations must adopt several measures to protect against such attacks:
- Monitor sign-in logs for unusual patterns, such as multiple failed attempts across different accounts.
- Implement location-based access controls to restrict logins from suspicious geographic locations.
- Enforce tenant-wide multi-factor authentication (MFA) to add an extra layer of security.
- Improve password hygiene by encouraging the use of complex, unique passwords.
- Enable audit logs for post-compromise investigations.
These steps are essential, as a single weak password can grant adversaries lasting access to organizational resources. With many services and users relying on Microsoft 365, identity monitoring is as crucial as endpoint security in today's cyber landscape.
🔍 How to Check If You're Affected
- 1.Review sign-in logs for multiple failed login attempts from the same IP address.
- 2.Set up alerts for unusual login activity from foreign locations.
- 3.Enforce multi-factor authentication across all accounts.
🗺️ MITRE ATT&CK Techniques
🔒 Pro insight: The use of VPNs and Tor for obfuscation indicates a sophisticated approach, suggesting advanced planning and operational security by the threat actor.