Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations Amid Regional Tensions
A sophisticated password-spraying campaign attributed to a threat actor with ties to Iran has been detected, specifically targeting Microsoft 365 environments in Israel and the United Arab Emirates (U.A.E.). This campaign has unfolded during a period of heightened conflict in the Middle East, with three distinct waves of attacks occurring on March 3, March 13, and March 23, 2026, as reported by cybersecurity firm Check Point.
Scope of the Campaign
The primary focus of this campaign has been on Israel and the U.A.E., affecting over 300 organizations in Israel and more than 25 in the U.A.E. Check Point has also identified similar activities targeting a limited number of entities in Europe, the United States, the United Kingdom, and Saudi Arabia. The affected organizations include government bodies, municipalities, technology firms, and entities within the transportation and energy sectors, as well as private companies in the region.
Password spraying is a specific brute-force attack method where a threat actor attempts to use a single common password against multiple usernames within the same application. This technique is particularly effective for identifying weak credentials at scale while minimizing the risk of triggering rate-limiting defenses.
Technical Insights and Methodology
Check Point has noted that this technique has been previously employed by Iranian hacking groups, including Peach Sandstorm and Gray Sandstorm (formerly known as DEV-0343), to infiltrate target networks. The campaign is executed in three phases: aggressive scanning or password spraying from Tor exit nodes, followed by login attempts, and ultimately the exfiltration of sensitive data, including mailbox content.
Analysis of Microsoft 365 logs has revealed similarities to the tactics used by Gray Sandstorm, particularly in the utilization of red-team tools for conducting these attacks via Tor exit nodes. The threat actor has leveraged commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), aligning with recent activities linked to Iran-nexus operations in the region.
To mitigate this threat, organizations are advised to monitor sign-in logs for signs of password spraying, implement conditional access controls to restrict authentication to approved geographic locations, enforce multi-factor authentication (MFA) for all users, and enable audit logs for post-compromise investigations.
Resurgence of Ransomware Operations
This revelation coincides with a recent attack on a U.S. healthcare organization in late February 2026 by Pay2Key, an Iranian ransomware gang with connections to the Iranian government. This ransomware-as-a-service (RaaS) operation, which has ties to the Fox Kitten group, first emerged in 2020. The variant used in this latest attack represents an upgrade from previous campaigns observed in July 2025, employing enhanced evasion, execution, and anti-forensics techniques.
Reports from Beazley Security and Halcyon indicate that no data was exfiltrated during this attack, marking a departure from the group’s previous double extortion tactics. The attack reportedly exploited an unknown access route to breach the organization, utilizing a legitimate remote access tool like TeamViewer to establish a foothold. Following this, the attackers harvested credentials for lateral movement, disabled Microsoft Defender Antivirus by falsely indicating that a third-party antivirus product was active, and deployed ransomware while clearing logs to obscure their activities.
Evolving Tactics and Strategic Implications
The operational tactics of the Pay2Key group have evolved significantly. The ransomware sample is configuration-driven, requiring root-level privileges to execute, and is designed to traverse extensive file system scopes, classify mounts, and encrypt data using ChaCha20 in full or partial modes. Before encryption, it weakens defenses by stopping services, killing processes, disabling SELinux and AppArmor, and installing a reboot-time cron entry to ensure the encryptor runs faster and survives restarts.
In March 2026, Halcyon revealed that the administrator of Sicarii ransomware, known as Uke, encouraged pro-Iranian operators to adopt Baqiyat 313 Locker (BQTlock) due to an influx of affiliate requests. BQTLock, which operates with pro-Palestinian motives, has targeted the U.A.E., the U.S., and Israel since July 2025.
Iran has a well-documented history of leveraging cyber operations to retaliate against perceived political slights. Ransomware is increasingly being integrated into these operations, with campaigns that blur the lines between criminal extortion and state-sponsored sabotage.
For organizations in the region, the implications of these developments are significant. The ongoing threat landscape necessitates a proactive approach to cybersecurity, emphasizing the importance of robust defenses against both password-spraying attacks and ransomware operations.
For ongoing coverage and breaking updates, visit our Latest News section.
Published on 2026-04-06 22:37:00 • By the Editorial Desk
