Now I have comprehensive details. Here's the full article:


---


# Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations


## A Coordinated Cyber Offensive Mirrors Kinetic Strikes Across the Middle East


A suspected Iranian threat actor has launched a sweeping password-spraying campaign against more than 300 organizations in Israel and over 25 in the United Arab Emirates, targeting Microsoft 365 cloud environments across government, municipal, energy, and private-sector entities. The campaign, disclosed by Check Point Research in late March 2026, unfolded in three coordinated attack waves — on March 3, March 13, and March 23 — and is assessed to be ongoing. Perhaps most alarming is researchers' finding that the targeted Israeli municipalities correlate with cities struck by Iranian missiles during the same period, suggesting a deliberate strategy to disrupt digital infrastructure in parallel with kinetic military operations.


## Background and Context


The campaign arrives amid a period of intensified hostilities in the Middle East, where the line between physical warfare and cyber operations continues to blur. Nation-state actors — particularly those linked to Iran's Islamic Revolutionary Guard Corps (IRGC) — have long used cyber intrusions as a force multiplier alongside conventional military action. Targeting municipal governments responsible for coordinating emergency responses to missile strikes represents a calculated escalation: if local authorities lose access to email, coordination platforms, and cloud-hosted emergency resources, the consequences on the ground could be devastating.


Check Point Research assessed with moderate confidence that the actor behind the campaign originates from Iran, based on the activity profile's alignment with Iranian strategic interests. The targeting of Israeli local government entities, alongside organizations in the satellite, aviation, energy, and maritime sectors, fits a well-documented pattern of Iranian cyber operations aimed at intelligence collection and disruption of critical infrastructure.


## Technical Details


Password spraying differs fundamentally from brute-force attacks. Rather than hammering a single account with thousands of password guesses — which quickly triggers lockout policies — the technique distributes a small set of commonly used or weak passwords across hundreds or thousands of accounts simultaneously. The underlying assumption is simple and often correct: in any sufficiently large organization, at least one user will have a weak credential.


The campaign's operators demonstrated significant operational security awareness throughout the attack chain. The initial reconnaissance and password-spraying phase was conducted through Tor exit nodes, which were rotated frequently to frustrate IP-based blocking and attribution. The attackers employed a User-Agent string masquerading as Internet Explorer 10, a deliberate choice likely intended to blend in with legacy enterprise environments where older browser strings are not uncommon in automated processes.


Once valid credentials were identified, the attack transitioned to a second phase. Rather than logging in through Tor — which many security tools flag automatically — the operators switched to commercial VPN services, specifically Windscribe (IP range 185.191.204.x) and NordVPN (IP range 169.150.227.x), with exit nodes geolocated in Israel. This tactic served a dual purpose: evading geographic access restrictions commonly configured on Microsoft 365 tenants, and making the login activity appear to originate from expected locations.


Check Point also identified infrastructure hosted at AS35758 (Rachamim Aviel Twito), an autonomous system that has surfaced in other recent suspected Iran-linked cyber operations in the Middle East, providing a further thread connecting this campaign to established Iranian operational infrastructure.


Analysis of Microsoft 365 logs revealed behavioral similarities to Gray Sandstorm (formerly DEV-0343), an IRGC-linked threat group previously documented by Microsoft for its use of red-team tools and password-spraying techniques targeting defense, maritime, and geospatial sectors.


## Real-World Impact


The scope of the campaign is substantial. In Israel alone, more than 300 organizations were targeted, with the municipal sector bearing the heaviest concentration of attempts. Beyond local government, the attackers cast a wide net across multiple verticals: technology (63 targeted organizations), transportation and logistics (32), healthcare (28), and manufacturing (28) were all in the crosshairs.


The correlation between targeted municipalities and cities subjected to Iranian missile strikes during March 2026 is particularly consequential. Municipal governments in Israel coordinate critical emergency response functions — from damage assessment and civilian sheltering to infrastructure repair and public communications. Compromising their Microsoft 365 environments could degrade situational awareness, delay emergency coordination, and sow confusion during the most critical hours following a strike.


Beyond Israel and the UAE, Check Point observed limited but notable activity directed at targets in Europe, the United States, the United Kingdom, and Saudi Arabia, indicating the campaign's operators are casting a wider net, possibly for intelligence collection or to establish persistent access for future operations.


## Threat Actor Context


The campaign bears the hallmarks of Iranian state-sponsored cyber activity, which has matured significantly over the past decade. Iran-linked groups such as Peach Sandstorm (APT33) and Gray Sandstorm (DEV-0343) have established password spraying as a core initial-access technique for penetrating cloud environments. Microsoft first publicly documented DEV-0343's password-spraying operations in October 2021, when the group targeted defense technology companies, satellite operators, and port authorities — sectors that overlap significantly with the current campaign's target set.


The IRGC's cyber units have repeatedly demonstrated a doctrine of integrating cyber operations with kinetic military activity. The temporal and geographic alignment between March 2026's missile strikes and the password-spraying waves suggests this campaign is not opportunistic, but rather a component of a broader hybrid warfare strategy designed to maximize disruption across both physical and digital domains.


## Defensive Recommendations


Organizations in targeted sectors — particularly those operating in the Middle East or in industries aligned with Iranian strategic interests — should take immediate steps to harden their Microsoft 365 environments:


  • Enforce multi-factor authentication (MFA) across all accounts without exception. Password spraying is rendered largely ineffective when a second authentication factor is required. Prioritize phishing-resistant MFA methods such as FIDO2 security keys over SMS-based codes.
  • Implement conditional access policies that block or challenge logins from Tor exit nodes, unexpected VPN ranges, and anomalous geolocations. Microsoft Entra ID (formerly Azure AD) provides built-in capabilities to flag risky sign-ins.
  • Eliminate weak and commonly used passwords by deploying Azure AD Password Protection or equivalent banned-password lists. If "Password1" or "Summer2026!" exists anywhere in your tenant, assume it will be found.
  • Monitor for password-spray indicators in Microsoft 365 audit logs, including high volumes of failed authentication attempts across multiple accounts from a small set of IP addresses or User-Agent strings. Alert on the IE10 User-Agent string specifically, as it is an anomaly in modern environments.
  • Review and restrict legacy authentication protocols, which bypass MFA and remain a favored entry point for spray campaigns. Disable POP, IMAP, and SMTP AUTH where not explicitly needed.
  • Implement smart lockout policies that balance security with usability, and monitor for distributed spray patterns that stay below per-account lockout thresholds.

    • ## Industry Response


    Check Point Research published detailed indicators of compromise (IOCs) including the IP ranges, User-Agent strings, and infrastructure details associated with the campaign, enabling security teams to conduct retroactive threat hunting across their environments. Microsoft has previously published extensive guidance on defending against password-spray attacks linked to Iranian threat actors, including specific detections within Microsoft Defender for Cloud Apps and Microsoft Sentinel.


    The broader security community has noted this campaign as further evidence that cloud identity is now the primary battleground in nation-state cyber operations. As organizations continue migrating critical services to Microsoft 365 and other cloud platforms, the identity layer — not the network perimeter — becomes the decisive point of defense. The Iran-linked campaign underscores that basic credential hygiene, combined with robust conditional access and monitoring, remains the most effective countermeasure against one of the oldest yet most persistent attack techniques in the adversary playbook.


    ---


    **