Back to News
Cyber Attack

Iran-Linked Password Spraying Hits 300+ Israeli Microsoft 365 Tenants

Iran-Linked Password Spraying Hits 300+ Israeli Microsoft 365 Tenants

An Iran-linked threat actor carried out a large password-spraying campaign against Microsoft 365 environments in Israel and the United Arab Emirates, Check Point said. The activity unfolded in three waves on March 3, March 13, and March 23, 2026, and is assessed to be ongoing.

Check Point said the operation focused on cloud accounts in government, municipal, technology, transportation, energy, and private-sector organizations. “The campaign is primarily focused on Israel and the U.A.E., impacting more than 300 organizations in Israel and over 25 in the U.A.E.,” the company added. Activity tied to the same actor was also seen against limited targets in Europe, the United States, the United Kingdom, and Saudi Arabia.

How the attack worked

Password spraying tries a single common password against many usernames. It avoids account lockouts and scales credential discovery. Check Point said the actor staged the campaign in three phases: aggressive scanning or password-spraying from Tor exit nodes, login attempts, and then data exfiltration such as mailbox content.

Check Point noted technical similarities to Gray Sandstorm, a group previously linked to Iran, including the use of red-team tooling and Tor exit nodes. The vendor also flagged use of commercial VPN nodes hosted on autonomous system AS35758, Rachamim Aviel Twito, consistent with other Iran-nexus operations in the region.

Why this matters

Compromising Microsoft 365 accounts can give attackers access to email, collaboration platforms, calendars, and sensitive documents. Insikt Group said the targeting correlated with cities struck by Iranian missiles, which suggests the cyber activity could be used to support damage assessment and kinetic operations.

That link matters because it changes the risk model. When credential theft supports real-world strikes, defenders must treat account protection as a national security priority, not just an IT hygiene task. For more on how to protect yourself from such attacks, see our guide on how to protect yourself from cyber attacks in 10 easy steps.

Related ransomware activity

At the same time, Halcyon and Beazley Security reported renewed activity by Pay2Key, an Iranian ransomware-as-a-service operation. In late February 2026, a U.S. healthcare organization was hit. Beazley and Halcyon said no data was exfiltrated during that incident, a departure from the double extortion pattern Pay2Key used earlier.

Halcyon described the attack chain in detail. The actors used an undetermined access route and a legitimate remote access tool like TeamViewer to get a foothold. They then harvested credentials for lateral movement, disabled Microsoft Defender Antivirus by spoofing a third-party product, deployed ransomware, left a ransom demand, and cleared logs to cover tracks. “By clearing logs at the end of execution rather than the beginning, the actors ensure that even the ransomware’s own activity is wiped, not just whatever preceded it,” Halcyon said.

Morphisec researcher Ilia Kulmin analyzed a Linux Pay2Key variant and described its capabilities. “The sample is configuration-driven, requires root-level privileges to execute, and is engineered to traverse broad file system scope, classify mounts, and encrypt data using ChaCha20 in full or partial modes,” Kulmin said. Morphisec added that the variant disables defenses, stops services, and installs a reboot-time cron entry so encryption survives restarts.

Practical advice for defenders

Check Point laid out specific mitigation steps. Organizations should monitor sign-in logs for patterns that match password spraying. They should apply conditional access to limit authentication to approved geographic locations. Enforce multi-factor authentication for all users. And enable audit logs to support post-compromise investigation.

Short checklist

  • Review Microsoft 365 sign-in logs for Tor and VPN-based access attempts, Check Point recommended.
  • Enforce MFA and conditional access policies, Check Point said.
  • Enable and retain audit logs for mailbox and sign-in activity.
  • Harden remote-access tools and monitor for living-off-the-land techniques, Halcyon advised.

Bottom line

Multiple security firms are seeing a blur between state-aligned espionage and disruptive ransomware. Insikt Group said ransomware is increasingly incorporated into operations that may serve political or kinetic goals. The combined pattern raises the stakes for basic controls: strong passwords, MFA, conditional access, and log monitoring will limit an attacker’s ability to move from account compromise to operational impact.

Stay alert. Treat account security as a strategic control. And follow vendor guidance from Check Point, Halcyon, Beazley Security, and Morphisec when assessing and hardening your Microsoft 365 environment.

#cybersecurity #Microsoft365 #ransomware #IranCyber #infosec #threatintel