Iran-Linked Campaign - Password Spraying Targets Israel
High severity — significant development or major threat actor activity
Basically, hackers from Iran are trying to guess passwords for many accounts in Israeli organizations.
A new password-spraying campaign linked to Iran is targeting over 300 organizations in Israel and the U.A.E. This ongoing threat highlights vulnerabilities in Microsoft 365 environments. Organizations must enhance their defenses to protect sensitive data.
What Happened
A password-spraying campaign linked to an Iranian threat actor is currently targeting Microsoft 365 environments in Israel and the U.A.E. This attack is part of a broader pattern of cyber operations amid rising tensions in the Middle East. Check Point, an Israeli cybersecurity firm, reported that the campaign has affected over 300 organizations in Israel and more than 25 in the U.A.E.
Who's Affected
The campaign primarily impacts government entities, municipalities, and companies in sectors such as technology, transportation, and energy. Additionally, some attacks have been observed against targets in Europe, the U.S., the U.K., and Saudi Arabia. This widespread targeting indicates a strategic focus on undermining critical infrastructure and sensitive data in the region.
How It Works
Password spraying involves attempting a single common password across multiple usernames. This method is effective because it reduces the chances of triggering security defenses that monitor for multiple failed login attempts. The campaign has been executed in three distinct waves, with the first occurring on March 3, 2026, followed by attacks on March 13 and March 23. The threat actor used Tor exit nodes to obscure their location, making it harder for defenders to trace the attacks.
Tactics & Techniques
Check Point's analysis revealed that the techniques used in this campaign bear similarities to those employed by the Gray Sandstorm group, known for their sophisticated cyber operations. The attackers leveraged red-team tools and commercial VPN nodes to facilitate their activities, aligning with patterns of Iranian cyber operations. This highlights the evolving tactics of state-sponsored actors in the region.
Defensive Measures
Organizations are urged to take immediate action to protect themselves from these threats. Recommended steps include:
- Monitor sign-in logs for unusual activity indicative of password spraying.
- Implement conditional access controls to restrict authentication based on geographic locations.
- Enforce multi-factor authentication (MFA) for all users to add an extra layer of security.
- Enable audit logs to assist in post-compromise investigations.
By adopting these measures, organizations can better safeguard their Microsoft 365 environments against ongoing and future attacks.
Conclusion
The Iranian-linked password-spraying campaign highlights the increasing sophistication of cyber threats in the region. As tensions escalate, organizations must remain vigilant and proactive in their cybersecurity strategies to mitigate the risks posed by state-sponsored actors.
🔒 Pro insight: The use of Tor and VPNs indicates a calculated approach by Iranian actors to obfuscate their operations, complicating attribution and response efforts.