Iran-Linked Password Spraying Targets Microsoft 365 Accounts in the Middle East

Severity: High (Score: 75.5)

Sources: Theregister, Technadu

Summary

Iran-linked threat actors are executing a password-spraying campaign targeting Microsoft 365 accounts across over 300 organizations in Israel and more than 25 in the UAE. The attacks occurred in three waves on March 3, March 13, and March 23, 2026, focusing on government entities, municipalities, and private-sector companies. Utilizing weak credentials, the attackers employed a rotating network of Tor exit nodes to avoid detection and authenticated through commercial VPNs geolocated in Israel. This method allows them to infiltrate critical infrastructure, which is crucial for responding to missile-related damage. The campaign is believed to support intelligence-gathering efforts related to recent missile strikes in the region. Check Point Research has linked the attackers to Iranian groups such as Peach Sandstorm and Gray Sandstorm. The ongoing nature of these attacks poses significant operational risks to affected organizations. Key Points: • Over 300 organizations in Israel and 25 in the UAE targeted in password-spraying attacks. • Attackers used weak credentials and a rotating network of Tor exit nodes for infiltration. • Campaign aims to support intelligence-gathering related to missile strikes in the region.

Key Entities

• Gray Sandstorm (apt_group)
• Peach Sandstorm (apt_group)
• Brute Force (attack_type)
• Credential Stuffing (attack_type)
• Phishing (attack_type)
• Stryker (company)
• Iran (country)
• Israel (country)
• Saudi Arabia (country)
• United Arab Emirates (country)
• Energy (industry)
• Government (industry)
• Healthcare (industry)
• Manufacturing (industry)
• Technology (industry)
• T1078 - Valid Accounts (mitre_attack)
• T1110 - Brute Force (mitre_attack)
• T1133 - External Remote Services (mitre_attack)
• T1566 - Phishing (mitre_attack)
• Microsoft 365 (platform)
• NordVPN (platform)
• Tor (platform)
• Windscribe (tool)