Iran targets M365 accounts with password-spraying attacks

Steven

Iran targets M365 accounts with password-spraying attacks

Summary

Researchers at Check Point have identified a series of password-spraying campaigns linked to Iran-focused threat actors that targeted Microsoft 365 accounts across hundreds of organisations. The offensive primarily hit Israeli municipalities and other Middle Eastern targets, with smaller numbers of attempts against organisations in the UAE, the US, Europe and Saudi Arabia. The activity occurred in three waves on 3, 13 and 23 March 2026 and appears to be aligned with kinetic operations — potentially to support bombing damage assessment (BDA) after missile strikes.

Attackers used rotating Tor exit nodes and a fake Internet Explorer 10 user agent for scanning, then logged in from commercial VPN IPs geolocated in Israel when credentials succeeded. They accessed personal emails and other sensitive data once inside. Check Point noted similarities to known Iran-linked groups such as Gray Sandstorm and reuse of infrastructure previously seen in regional operations.

Key Points

  • More than 300 organisations in Israel and 25+ in the UAE were targeted with password-spraying against M365 accounts.
  • Three attack waves were observed on 3, 13 and 23 March 2026.
  • Primary targets were municipalities (linked to possible BDA use); other sectors hit included technology, transportation & logistics, healthcare and manufacturing.
  • Scans used frequently changed Tor exit nodes and an IE10 user-agent string; successful logins occurred from VPN IP ranges (Windscribe, NordVPN) geolocated in Israel and commercial AS infrastructure seen in prior Iran-linked operations.
  • Attack patterns and tooling show similarities to Iran-linked groups (Gray Sandstorm, Peach Sandstorm) that have previously used password spraying as initial access to M365 environments.
  • The campaign sits alongside other recent Iran-linked cyber operations, including destructive and data-leak activity such as the Stryker incident and the Handala Hack disclosure.

Context and Relevance

This campaign is notable because it blends low-tech credential-stuffing methods with careful operational tradecraft (Tor chaining, VPN pivots, reused commercial infrastructure) and targets organisations that are useful for physical damage assessment following strikes. For security teams in government, municipalities, healthcare, logistics and tech, the incident underlines that basic account hardening remains critical: multifactor authentication, conditional access, monitoring for atypical logins and rapid incident response can blunt these attempts.

Why should I read this?

Because if you run an organisation that could be useful for post-strike intelligence (local councils, hospitals, transport hubs) or you manage M365, this is exactly the sort of quiet, noisy-at-scale attack that’ll get you owned if you don’t have the basics locked down. It isn’t glamorous hacking — it’s brute-force persistence that works if you haven’t forced MFA or watched your sign-in logs. Read this so you can stop panicking later.

Author’s take

Punchy: This is a reminder that nation-state ops still lean on simple, effective techniques. The operational link to missile strikes elevates the stakes — not just data theft but direct support for kinetic campaigns. If you’re responsible for identity security, treat this as high priority.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/03/31/iran_password_spraying_m365/