Iran-Linked Hackers Hit M365 Tenants in Middle East Password Spray Campaign
Iran-linked threat actors have launched a coordinated password-spraying campaign targeting Microsoft 365 environments across the Middle East, according to new findings.
The activity, observed throughout March 2026, unfolded in three distinct waves on March 3, March 13, and March 23.
The campaign primarily targeted organizations in Israel and the United Arab Emirates, impacting more than 300 entities in Israel and over 25 in the UAE.

Additional limited targeting was also observed in Europe, the United States, the United Kingdom, and Saudi Arabia, indicating broader reconnaissance or opportunistic expansion.
Researchers found that municipalities were the primary targets, particularly in Israel. These organizations play a key role in emergency response and infrastructure management during missile attacks.
Check Point Research (CPR) has been tracking an ongoing password-spraying campaign targeting Microsoft 365 environments.
CPR noted a correlation between targeted municipalities and locations affected by Iranian missile strikes during the same period.
This overlap suggests the campaign may have been designed to support kinetic military operations, specifically enabling intelligence gathering and Bombing Damage Assessment (BDA).
By accessing municipal systems, attackers could potentially gain insight into damage reports, emergency responses, and recovery efforts in near real time.
Beyond municipalities, the attackers also targeted government agencies, energy sector organizations, and private companies, reflecting a broader intelligence collection objective.
Attack Technique and Execution
The campaign relied on password spraying, a technique where attackers attempt to log into multiple accounts using a small set of commonly used or weak passwords.
The attacker then conducted the full login process from VPN IP addresses (Windscribe ip range 185.191.204.X or NordVPN ip range 169.150.227.X) Geolocated in Israel to evade Geo-restrictions.

Unlike brute-force attacks, which focus on a single account, password spraying spreads attempts across many users to avoid account lockouts and detection.
To evade security controls, the attackers used multiple rotating IP addresses, including Tor exit nodes. They also disguised their traffic using a User-Agent string mimicking Internet Explorer 10, helping blend malicious activity with legitimate traffic.
Once valid credentials were obtained, the attackers moved to the infiltration phase. They logged in using commercial VPN services such as Windscribe and NordVPN, often using IP addresses geolocated in Israel. This tactic helped bypass geo-restrictions and reduced suspicion.
In the final stage, the attackers accessed sensitive data, including email content and potentially other cloud-hosted information within compromised Microsoft 365 tenants.
Check Point Research assesses with moderate confidence that the campaign is linked to an Iran-based threat actor.
This conclusion is based on targeting patterns aligned with Iranian strategic interests and technical overlaps with previously identified groups.
The activity shows similarities to known Iran-linked actors such as Gray Sandstorm and Peach Sandstorm, both of which have used password spraying for initial access in past campaigns.

The use of Tor infrastructure, red-team tools, and VPN services tied to AS35758 further supports this attribution.
Mitigations
Organizations using Microsoft 365 are urged to strengthen their defenses against such attacks. Key recommendations include:
- Monitor sign-in logs for unusual patterns, especially multiple failed login attempts across different accounts.
- Implement geo-fencing and block access from anonymization services like Tor.
- Enforce multi-factor authentication (MFA) across all users, particularly for administrative accounts.
- Maintain strong password policies and ensure regular credential updates.
- Enable and retain audit logs to support investigation of suspicious activity.
This campaign highlights how cyber operations are increasingly integrated with geopolitical conflicts, blending digital intrusion with real-world military objectives. Organizations in sensitive regions and sectors should remain on high alert.