Iran-linked hackers launch password spray attacks on Microsoft 365 tenants in the Middle East, targeting weak credentials and cloud access.
Iran-Linked Hackers Target Microsoft 365 Tenants with Password Spray Campaign
A new wave of cyberattacks has put Microsoft 365 tenants across the Middle East on high alert, as an Iran-linked threat actor deploys a large-scale password spray campaign targeting cloud-based accounts.
Unlike conventional cyber intrusions that rely on malware or software vulnerabilities, this campaign focuses on exploiting weak passwords and poorly secured identities. The approach highlights how even simple identity-based attacks can unlock access to sensitive emails, documents, and administrative tools within a single cloud environment.
Coordinated Attack Waves Across Regions
According to cybersecurity findings, the campaign unfolded in three distinct waves on March 3, March 13, and March 23, 2026. The primary targets were organizations in Israel and the United Arab Emirates.
More than 300 organizations in Israel and over 25 in the UAE were impacted. Additional targets were observed across Europe, the United States, the United Kingdom, and Saudi Arabia. The affected sectors ranged widely, including government bodies, municipalities, energy firms, and private enterprises.
Security researchers at Check Point Software Technologies attributed the activity to an Iran-linked actor, citing regional targeting patterns, sector focus, and login behavior analysis. The campaign is believed to have geopolitical undertones, particularly with increased targeting of Israeli municipalities, potentially linked to broader operational objectives.
How Password Spraying Works
Password spraying differs from traditional brute-force attacks. Instead of repeatedly guessing passwords for a single account, attackers test a small number of commonly used passwords across a large number of accounts. This method reduces the likelihood of triggering account lockouts and helps attackers remain under the radar.
In this campaign, attackers leveraged multiple IP addresses, making it difficult for organizations to detect or block suspicious activity based solely on IP filtering. This distributed approach allowed malicious login attempts to blend in with normal background authentication traffic.
Attack Lifecycle: From Access to Data Exposure
The operation followed a structured three-stage attack cycle:
- Scan: Attackers used frequently changing Tor exit nodes and spoofed user agents resembling older browsers to distribute login attempts and evade detection.
- Infiltrate: Once valid credentials were identified, attackers shifted to commercial VPN services such as NordVPN and Windscribe, often geolocated within Israel. This tactic likely helped bypass geo-restrictions and reduce suspicion tied to foreign access attempts.
- Exfiltrate: With legitimate account access, attackers could quietly explore email inboxes and sensitive cloud data without deploying malware, minimizing detection risks.
Why This Attack Matters
The campaign underscores a critical cybersecurity reality: even low-complexity attacks can have significant consequences. A single compromised password can grant persistent access to an organization’s cloud ecosystem, especially when multiple services and users are interconnected.
The focus on identity-based intrusion also signals a shift in attacker strategy—prioritizing stealth and persistence over noisy, destructive tactics.
Key Security Recommendations
To defend against such attacks, organizations using Microsoft 365 should adopt the following measures:
- Monitor sign-in logs for unusual patterns, such as multiple failed attempts across different accounts
- Enforce multi-factor authentication (MFA) across all users
- Implement location-based access controls
- Block or restrict traffic from Tor networks where feasible
- Strengthen password policies and eliminate weak or reused credentials
- Maintain comprehensive audit logs for post-incident analysis
The Bigger Picture
As businesses increasingly rely on cloud platforms like Microsoft 365 for daily operations, identity security has become just as critical as endpoint protection. This campaign demonstrates that attackers don’t always need sophisticated tools—sometimes, exploiting a weak password is enough to gain a powerful foothold.
Organizations must rethink their security posture, ensuring that identity monitoring, access control, and user awareness are central to their defense strategy in an evolving threat landscape.
Read more: “Too Dangerous to Release”: Anthropic Reveals Powerful Claude Mythos AI
