Iranian APT Group Conducts Password Spray Attacks on Microsoft 365 Accounts

Severity: High (Score: 75.5)

Sources: Scworld, Technadu, Theregister, News.Risky.Biz

Summary

In March 2026, a suspected Iranian APT group, identified as Gray Sandstorm, initiated a password spraying campaign targeting Microsoft 365 accounts of over 300 organizations in Israel and more than 25 in the UAE. The attacks, which occurred in three waves on March 3, March 13, and March 23, aimed to gather intelligence for bomb damage assessments following missile strikes. The attackers utilized weak password credentials and employed a rotating network of Tor exit nodes to evade detection. They then authenticated using VPN IP addresses geolocated in Israel to access sensitive data. This operation aligns with previous tactics used by Iranian state-sponsored groups and has raised concerns about vulnerabilities in regional digital infrastructure. The campaign is ongoing, with researchers continuing to monitor the situation. Key Points: • Iranian APT Gray Sandstorm targeted Microsoft 365 accounts of over 300 organizations. • The password spraying campaign occurred in three waves throughout March 2026. • Attackers utilized weak passwords and Tor nodes to evade detection and access sensitive data.

Key Entities

• Gray Sandstorm (apt_group)
• Peach Sandstorm (apt_group)
• Brute Force (attack_type)
• Credential Stuffing (attack_type)
• Phishing (attack_type)
• Stryker (company)
• Iran (country)
• Israel (country)
• Saudi Arabia (country)
• United Arab Emirates (country)
• CVE-2026-21643 (cve)
• CVE-2026-3502 (cve)
• Energy (industry)
• Government (industry)
• Healthcare (industry)
• Manufacturing (industry)
• Technology (industry)
• T1078 - Valid Accounts (mitre_attack)
• T1110 - Brute Force (mitre_attack)
• T1133 - External Remote Services (mitre_attack)
• T1566 - Phishing (mitre_attack)
• Microsoft 365 (platform)
• NordVPN (platform)
• Tor (platform)
• Windscribe (tool)