Iran-Linked Password Spray Campaign Targeting M365 in the Middle East

An Iran-linked threat actor conducted a large-scale password spraying campaign targeting Microsoft 365 cloud environments, primarily in the Middle East. The campaign occurred in three waves during March 2026 and heavily focused on Israeli municipalities and UAE organizations. The activity leveraged anonymization (Tor, VPNs) and weak credential exploitation to gain initial access. The operation likely supported broader geopolitical objectives, including intelligence gathering aligned with military activity.

Severity: High

Campaign Timeline & Scale

• Conducted in three waves: March 3, March 13, and March 23, 2026
• Impacted:
  • 300+ organizations in Israel
  • 25+ organizations in UAE
  • Additional limited targeting in US, UK, Europe, Saudi Arabia
• High-volume authentication attempts observed across multiple tenants

Targeting Profile

• Primary targets: Municipalities (critical for emergency response and infrastructure)
• Other sectors:
  • Government entities
  • Energy and utilities
  • Aviation and maritime
  • Technology and private sector organizations
• Notable correlation between targeted municipalities and locations impacted by Iranian missile strikes, indicating possible support for battle damage assessment (BDA)

Attack Details

The actor utilizes a three-phase approach to compromise and exploit target environments:

1. Scan (Reconnaissance):

Conducts intensive password-spraying via Tor exit nodes to avoid IP blocking.
Masquerades as Internet Explorer 10 using a specific User-Agent string.

2. Infiltrate (Initial Access):

Once valid credentials are found, the attacker performs the full login process.
Uses commercial VPNs (Windscribe and NordVPN) geolocated in Israel to bypass geo-fencing restrictions.

3. Exfiltrate (Exploitation):

Leverages access to steal sensitive data, particularly personal email content.

Recommendations

1. Implement Multi-Factor Authentication for all users without exception, applying even stricter controls for privileged or administrative roles.
2. Enforce strong password policies and require regular updates in accordance with your organization’s specific risk posture.
3. Configure alerts in sign-in logs to detect multiple authentication failures across numerous distinct accounts originating from a single source IP.
4. Use conditional access policies to restrict authentication attempts to approved geographic regions only.
5. Proactively block high-risk networks, specifically Tor exit nodes, which the actor uses during the initial scanning phase.
6. Monitor for or block outdated or suspicious User-Agents, such as the Internet Explorer 10 string (Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)) used by this actor.
7. Ensure that M365 audit logging is fully enabled and retained for a sufficient duration to facilitate post-compromise investigations.
8. If a password spray is suspected to be successful, immediately review all post-authentication activity for signs of data exfiltration.
9. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/3e923cb16946ab9caef1f9b85994103932f35f05c442f4d5d49f1abd8319bdb0/iocs

IOCs:

Source:

• https://blog.checkpoint.com/research/iran-nexus-password-spray-campaign-targeting-cloud-environments-with-a-focus-on-the-middle-east/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.