Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Iran-linked hackers exploit Microsoft 365 tenants with password spray attacks
Threats

Iran-linked hackers exploit Microsoft 365 tenants with password spray attacks

Key Takeaways Iranian state-sponsored threat actors are conducting a password spray campaign targeting Microsoft 365 tenants. The attacks primarily focus on organizations in the Middle East,...

Marcus Rodriguez
Marcus Rodriguez
April 7, 2026 4 Min Read
38 0

Key Takeaways

  • Iranian state-sponsored threat actors are conducting a password spray campaign targeting Microsoft 365 tenants.
  • The attacks primarily focus on organizations in the Middle East, particularly Israel and the UAE, affecting over 300 Israeli organizations and 25+ in the UAE, including government, energy, and private sectors.
  • Attackers utilize low-volume, widespread credential guessing, employing rotating Tor exit nodes and then commercial VPNs (Windscribe, NordVPN) to evade detection and gain unauthorized access to sensitive cloud data.
  • The campaign highlights the effectiveness of basic identity attacks in compromising cloud environments, bypassing traditional malware defenses.

Iranian-Backed Hackers Target Microsoft 365 with Sophisticated Password Spray Attacks

A new cybersecurity report reveals that state-sponsored hackers linked to Iran are actively engaging in a sophisticated password spray campaign against Microsoft 365 cloud environments, primarily focusing on organizations across the Middle East. This activity underscores a persistent trend of nation-state actors leveraging fundamental cloud service vulnerabilities for illicit access, bypassing more complex malware-based intrusions.

Table Of Content

  • Key Takeaways
  • Iranian-Backed Hackers Target Microsoft 365 with Sophisticated Password Spray Attacks
  • Campaign Waves and Geographic Focus
  • Attribution and Motivation
  • Password Spraying Tactics
  • Attack Cycle Breakdown
  • Scanning Phase
  • Infiltration and Exfiltration
  • What You Should Do

The attackers prioritize exploiting weak credentials and exposed cloud accounts rather than deploying malicious software or zero-day exploits. This methodology demonstrates how a basic identity-based attack can still grant extensive access to critical resources such as email, documents, and administrative tools within a target’s cloud tenant.

Campaign Waves and Geographic Focus

The observed campaign unfolded in three distinct waves on March 3, March 13, and March 23, 2026. Analysis indicates a concentrated effort on Israel and the United Arab Emirates. Over 300 organizations in Israel and more than 25 in the UAE were impacted. Smaller clusters of targets were also identified in Europe, the United States, the United Kingdom, and Saudi Arabia.

The scope of targets was broad, encompassing government entities, municipal administrations, energy sector groups, and various private companies. This diverse targeting suggests a wide range of intelligence-gathering or disruptive objectives.

Attribution and Motivation

Following the second wave of attacks, Check Point researchers identified the operation as an Iran-linked campaign. Their assessment of moderate confidence is based on several factors, including the specific sectors targeted, the strong regional focus, and the technical patterns observed within login logs. Researchers further postulated a connection between the targeting of Israeli municipalities and potential support for kinetic operations or post-bombing damage assessment activities during March.

Password Spraying Tactics

Unlike traditional brute-force attacks that repeatedly attempt to guess the password for a single account, password spraying involves testing a small set of common passwords against a large number of accounts. This technique aims to find valid credentials without triggering lockout policies that would alert defenders to a brute-force attempt on a single user.

A key characteristic of this campaign was the attackers’ use of numerous source IP addresses. This tactic rendered simple IP-based blocking ineffective and allowed the malicious login attempts to blend more easily with routine background login noise, making detection significantly harder.

Once valid credentials were acquired, the threat actors could directly access mailboxes and other sensitive cloud data, circumventing the need for noisy malware deployment that often alerts security systems.

Attack Cycle Breakdown

The attack cycle, as detailed by Check Point, comprised three primary stages: scanning, infiltration, and exfiltration. The login activity exhibited clear bursts, indicating a planned, wave-based approach rather than random scanning.

Iran-nexus Password Spraying Volume Over Time – March 2026 (Source - Check Point)
Iran-nexus Password Spraying Volume Over Time – March 2026 (Source – Check Point)

Scanning Phase

During the initial scanning phase, the attackers frequently rotated Tor exit nodes and employed user agents impersonating Internet Explorer 10 on Windows 7. This continuous rotation of indicators of compromise (IoCs) diminished the efficacy of single-point blocking measures, forcing defenders to analyze broader patterns in timing, volume, and the distribution of failed logins across multiple accounts.

Attack Cycle (Source - Check Point)
Attack Cycle (Source – Check Point)

Infiltration and Exfiltration

Upon successfully identifying valid credentials, the infiltration phase commenced. The threat actors then shifted their login operations to commercial VPN ranges, specifically using services like Windscribe and NordVPN, geolocated in Israel. This strategic move likely aimed to bypass geo-restrictions and reduce alerts associated with foreign access attempts.

Example organization A – Failed sign in attempts for accounts in the tenant (Source - Check Point)
Example organization A – Failed sign in attempts for accounts in the tenant (Source – Check Point)

By leveraging legitimate accounts, the attackers could access personal email content and other sensitive cloud information without generating the “noise” typically associated with malware delivery or destructive actions. The primary focus remained Israeli municipalities, both in terms of the number of organizations targeted and the volume of password-spraying attempts, though government, energy, and private sector entities were also compromised.

What You Should Do

  • Implement Multi-Factor Authentication (MFA): Enforce MFA across all Microsoft 365 accounts, especially for administrative roles, as it is the most effective defense against credential theft.
  • Strengthen Password Policies: Mandate complex, unique passwords and regularly rotate them. Consider passwordless authentication solutions.
  • Monitor Sign-in Logs: Actively monitor and analyze sign-in logs for unusual patterns, such as numerous failed login attempts across different accounts originating from a single source or multiple sources, or successful logins from unexpected geographic locations.
  • Apply Location-Based Access Controls: Restrict access to Microsoft 365 services based on geographical location, blocking access from known high-risk regions or Tor exit nodes where feasible.
  • Block Tor Traffic: Configure network defenses to block or flag connections originating from Tor exit nodes.
  • Enable Comprehensive Audit Logging: Ensure all audit logs are enabled and retained for an extended period to facilitate thorough post-compromise investigations.
  • User Education: Train employees on the importance of strong passwords and the risks associated with credential-based attacks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwareThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Microsoft Patches Critical Defender Vulnerability in Windows Installation Images

Next Post

LogMeIn Resolve and ConnectWise ScreenConnect Abused in Phishing Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us