Microsoft 365 tenants in the Middle East are currently the target of a sophisticated password spray campaign attributed to an Iran-linked threat actor. This attack vector bypasses traditional malware deployment, focusing instead on exploiting weak credentials to gain unauthorized access to cloud environments. The campaign highlights the persistent threat posed by identity-based attacks and their potential to compromise sensitive data, including emails, documents, and administrative tools within a corporate tenant.
The malicious activity was observed in three distinct waves, occurring on March 3, March 13, and March 23, 2026. While the primary focus was on organizations in Israel and the United Arab Emirates, the campaign also impacted a smaller number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia. Affected entities spanned various sectors, including government bodies, municipalities, energy companies, and private businesses. Check Point researchers, after observing the second wave, identified the operation as orchestrated by an Iran-linked group, basing their assessment on the targeted sectors, geographical focus, and observed technical behaviors in login logs.
Iran-Linked Hackers Launch Broad Password Spray Campaign
The cybersecurity research firm Check Point has detailed a wide-reaching password spray campaign orchestrated by threat actors believed to be linked to Iran. This campaign specifically targeted Microsoft 365 tenants, predominantly in the Middle East, with significant attention paid to entities in Israel and the United Arab Emirates. Researchers believe the targeting of Israeli municipalities during March may have been intended to gather intelligence or potentially support kinetic operations in the region. The attack relies on a foundational technique: attempting to compromise accounts through common or easily guessed passwords.
Password spraying is a distinct cyberattack method that differs from traditional brute-force attacks. Instead of repeatedly attempting various passwords against a single user account, password spraying involves trying a small set of common passwords against a large number of user accounts. This approach is often more effective at evading detection, especially when combined with obfuscation techniques. In this particular campaign, the threat actors utilized a multitude of source IP addresses, a tactic that significantly diminished the effectiveness of basic IP-based blocking measures. This diversification of origin points also helped the malicious login attempts blend in with normal network traffic, making them harder to identify as specifically malicious activity.
Upon successfully obtaining valid credentials through the password spray tactics, the attackers were able to gain access to sensitive cloud data and resources. This was achieved without the immediate deployment of loud or easily detectable malware, allowing for a more stealthy infiltration. The compromised access could include mailboxes, document repositories, and other critical cloud-based information, providing a significant foothold within the targeted organization.
Understanding the Attack Cycle
The reported attack cycle provides a clear insight into the methodology employed by the Iran-linked threat actor. The login activity associated with the campaign, as visualized by Check Point, demonstrated distinct spikes, indicating a series of coordinated waves rather than random, opportunistic scanning. This structured approach suggests careful planning and execution by the attackers.
The attack cycle can be broadly divided into three stages: scanning, infiltration, and exfiltration. During the initial scanning phase, the threat actor employed Tor exit nodes, which were frequently rotated. The user agent string used in these requests was crafted to mimic Internet Explorer 10 running on Windows 7, an attempt to appear as less suspicious legacy traffic. This rotation of IP addresses and the use of a specific user agent reduced the value of single indicators, forcing cybersecurity professionals to focus on patterns of timing, volume, and the geographical distribution of failed login attempts across various accounts.
Once the attackers identified working credentials, the subsequent login process shifted. They began routing traffic through commercial VPN services, specifically Windscribe and NordVPN, with IP addresses geolocated within Israel. This move may have served to bypass geo-restrictions or to reduce the likelihood of triggering alerts associated with foreign access. The researchers highlighted that patterns of multiple failed sign-in attempts preceding a successful compromise are critical indicators for defenders. By gaining access through legitimate credentials, the actor could begin accessing personal email content and other sensitive cloud information without immediately raising alarms associated with more disruptive attack vectors.
The report indicates that Israeli municipalities represented a primary target, both in terms of the number of organizations affected and the volume of password-spraying attempts. However, government entities, energy sector organizations, and private companies were also impacted. To mitigate such attacks, organizations are advised to closely monitor sign-in logs for anomalous patterns, such as numerous failed attempts across different accounts originating from a single source. Implementing location-based access controls, blocking Tor traffic where feasible, and enforcing tenant-wide multi-factor authentication are crucial protective measures. Maintaining improved password hygiene and ensuring audit logs are consistently enabled for post-compromise investigations are also essential, as these simple identity attacks can lead to significant breaches when cloud workspaces hold critical data and numerous services.