Suspected Iran-linked threat actors launched coordinated password-spraying attacks against Microsoft 365 accounts in March 2026. Researchers identified the campaign targeting over 300 organizations in Israel and more than 25 in the United Arab Emirates. Security analysts believe the cyber operations aimed to support physical bombing damage assessment following recent missile strikes.
Tel Aviv-based Check Point Research revealed the attackers utilized multiple source IP addresses to compromise numerous accounts. The malicious activity occurred in three distinct waves on March 3, March 13, and March 23. While the Middle East bore the brunt of the intrusion, a limited number of targets in the US and Europe also faced similar activity.
Technical Methodology
The initial stage involved blasting hundreds of organizations with weak passwords to gain entry. Attackers performed these scans using frequently changed Tor exit nodes with a User-Agent masquerading as Internet Explorer 10. Once valid credentials were found, the actors logged in from multiple VPN IP addresses to evade geographic restrictions.
Infrastructure analysis suggested similarities to Gray Sandstorm, including the use of red-team tools via Tor exit nodes. The attacker utilized commercial VPN nodes hosted at AS35758, infrastructure that has appeared in recent suspected Iran-linked cyber operations. This pattern indicates a sophisticated level of operational security designed to obscure the origin of the traffic.
Municipalities played a major role in responding to missile-related physical damage, making them high-value targets. Check Point noted a correlation between the organizations targeted with password spraying and cities targeted by missile attacks. > "This suggests the campaign was likely intended to support kinetic operations and Bombing Damage Assessment efforts," the researchers wrote.
Other industries including technology, transportation, healthcare, and manufacturing also faced attempts during the campaign. The password spraying attacks coincide with another Iran-linked group hacking FBI Director Kash Patel's personal email account. Handala Hack, a crew tied to Iran's intelligence agency, posted Patel's data on their website claiming this was just the beginning.
Strategic Implications
Future operations may expand beyond municipal sectors to include critical infrastructure providers across the Middle East. Organizations must prioritize multi-factor authentication and monitor for unusual login patterns from Tor exit nodes. The convergence of physical and digital warfare requires updated defense strategies for government and private entities alike.
This campaign underscores the increasing sophistication of state-sponsored actors in the Middle East. Continued monitoring of Microsoft 365 logs will be essential for detecting similar password-spraying attempts. Security teams should prepare for potential escalation as geopolitical tensions remain high in the region.
