Iran-Linked Password-Spraying Campaign Targets Over 300 Israeli Microsoft 365 Organizations
A sophisticated password-spraying campaign attributed to an Iran-nexus threat actor has been identified, targeting Microsoft 365 environments in Israel and the United Arab Emirates (U.A.E.) during a period of heightened conflict in the Middle East. The campaign, which is ongoing, has been executed in three distinct waves on March 3, March 13, and March 23, 2026, according to cybersecurity firm Check Point.
Scope of the Campaign
The campaign has primarily focused on Israel and the U.A.E., impacting over 300 organizations in Israel and more than 25 in the U.A.E. Check Point reported that similar activities have also been detected against a limited number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia. The targeted entities include government bodies, municipalities, technology firms, transportation and energy sector organizations, as well as private companies within the region.
Password spraying is a specific brute-force attack method where a threat actor attempts to use a single common password against multiple usernames within the same application. This technique is particularly effective for discovering weak credentials at scale while minimizing the risk of triggering rate-limiting defenses.
Technical Insights and Methodology
Check Point has noted that this technique has been previously employed by Iranian hacking groups such as Peach Sandstorm and Gray Sandstorm (formerly known as DEV-0343) to infiltrate target networks. The campaign unfolds in three phases: aggressive scanning or password spraying conducted from Tor exit nodes, followed by login attempts, and ultimately the exfiltration of sensitive data, including mailbox content.
Analysis of Microsoft 365 logs has revealed similarities to Gray Sandstorm, particularly in the use of red-team tools for conducting these attacks via Tor exit nodes. The threat actor has utilized commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), aligning with recent activities linked to Iran-nexus operations in the Middle East.
To mitigate the threat, organizations are advised to monitor sign-in logs for indications of password spraying, implement conditional access controls to restrict authentication to approved geographic locations, enforce multi-factor authentication (MFA) for all users, and enable audit logs for post-compromise investigations.
Resurgence of Ransomware Operations
This disclosure arrives as a U.S. healthcare organization was targeted in late February 2026 by Pay2Key, an Iranian ransomware gang with connections to the Iranian government. The ransomware-as-a-service (RaaS) operation, which has ties to the Fox Kitten group, first emerged in 2020. The variant used in this recent attack represents an upgrade from previous campaigns observed in July 2025, employing enhanced evasion, execution, and anti-forensics techniques.
Reports from Beazley Security and Halcyon indicate that no data was exfiltrated during this attack, marking a departure from the group’s previous double extortion tactics. The attack reportedly exploited an unknown access route to breach the organization, utilizing a legitimate remote access tool like TeamViewer to establish a foothold. Following this, the attackers harvested credentials for lateral movement, disabled Microsoft Defender Antivirus by falsely indicating that a third-party antivirus product was active, and deployed ransomware while clearing logs to obscure their activities.
Evolving Tactics and Strategic Implications
The operational tactics of the Pay2Key group have evolved significantly. The ransomware sample is configuration-driven, requiring root-level privileges to execute, and is designed to traverse extensive file system scopes, classify mounts, and encrypt data using ChaCha20 in full or partial modes. Before encryption, it weakens defenses by stopping services, killing processes, disabling SELinux and AppArmor, and installing a reboot-time cron entry to ensure the encryptor runs faster and survives restarts.
In March 2026, Halcyon revealed that the administrator of Sicarii ransomware, known as Uke, encouraged pro-Iranian operators to adopt Baqiyat 313 Locker (BQTlock) due to an influx of affiliate requests. BQTLock, which operates with pro-Palestinian motives, has targeted the U.A.E., the U.S., and Israel since July 2025.
Iran has a well-documented history of leveraging cyber operations to retaliate against perceived political slights. Ransomware is increasingly being integrated into these operations, with campaigns that blur the lines between criminal extortion and state-sponsored sabotage.
For organizations in the region, the implications of these developments are significant. The ongoing threat landscape necessitates a proactive approach to cybersecurity, emphasizing the importance of robust defenses against both password-spraying attacks and ransomware operations.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
