Iran-linked hackers exploit Microsoft 365 tenants with password spray attacks
Key Takeaways Iranian state-sponsored threat actors are conducting a password spray campaign targeting Microsoft 365 tenants. The attacks primarily focus on organizations in the Middle East,...
Key Takeaways
- Iranian state-sponsored threat actors are conducting a password spray campaign targeting Microsoft 365 tenants.
- The attacks primarily focus on organizations in the Middle East, particularly Israel and the UAE, affecting over 300 Israeli organizations and 25+ in the UAE, including government, energy, and private sectors.
- Attackers utilize low-volume, widespread credential guessing, employing rotating Tor exit nodes and then commercial VPNs (Windscribe, NordVPN) to evade detection and gain unauthorized access to sensitive cloud data.
- The campaign highlights the effectiveness of basic identity attacks in compromising cloud environments, bypassing traditional malware defenses.
Iranian-Backed Hackers Target Microsoft 365 with Sophisticated Password Spray Attacks
A new cybersecurity report reveals that state-sponsored hackers linked to Iran are actively engaging in a sophisticated password spray campaign against Microsoft 365 cloud environments, primarily focusing on organizations across the Middle East. This activity underscores a persistent trend of nation-state actors leveraging fundamental cloud service vulnerabilities for illicit access, bypassing more complex malware-based intrusions.
Table Of Content
The attackers prioritize exploiting weak credentials and exposed cloud accounts rather than deploying malicious software or zero-day exploits. This methodology demonstrates how a basic identity-based attack can still grant extensive access to critical resources such as email, documents, and administrative tools within a target’s cloud tenant.
Campaign Waves and Geographic Focus
The observed campaign unfolded in three distinct waves on March 3, March 13, and March 23, 2026. Analysis indicates a concentrated effort on Israel and the United Arab Emirates. Over 300 organizations in Israel and more than 25 in the UAE were impacted. Smaller clusters of targets were also identified in Europe, the United States, the United Kingdom, and Saudi Arabia.
The scope of targets was broad, encompassing government entities, municipal administrations, energy sector groups, and various private companies. This diverse targeting suggests a wide range of intelligence-gathering or disruptive objectives.
Attribution and Motivation
Following the second wave of attacks, Check Point researchers identified the operation as an Iran-linked campaign. Their assessment of moderate confidence is based on several factors, including the specific sectors targeted, the strong regional focus, and the technical patterns observed within login logs. Researchers further postulated a connection between the targeting of Israeli municipalities and potential support for kinetic operations or post-bombing damage assessment activities during March.
Password Spraying Tactics
Unlike traditional brute-force attacks that repeatedly attempt to guess the password for a single account, password spraying involves testing a small set of common passwords against a large number of accounts. This technique aims to find valid credentials without triggering lockout policies that would alert defenders to a brute-force attempt on a single user.
A key characteristic of this campaign was the attackers’ use of numerous source IP addresses. This tactic rendered simple IP-based blocking ineffective and allowed the malicious login attempts to blend more easily with routine background login noise, making detection significantly harder.
Once valid credentials were acquired, the threat actors could directly access mailboxes and other sensitive cloud data, circumventing the need for noisy malware deployment that often alerts security systems.
Attack Cycle Breakdown
The attack cycle, as detailed by Check Point, comprised three primary stages: scanning, infiltration, and exfiltration. The login activity exhibited clear bursts, indicating a planned, wave-based approach rather than random scanning.

Scanning Phase
During the initial scanning phase, the attackers frequently rotated Tor exit nodes and employed user agents impersonating Internet Explorer 10 on Windows 7. This continuous rotation of indicators of compromise (IoCs) diminished the efficacy of single-point blocking measures, forcing defenders to analyze broader patterns in timing, volume, and the distribution of failed logins across multiple accounts.

Infiltration and Exfiltration
Upon successfully identifying valid credentials, the infiltration phase commenced. The threat actors then shifted their login operations to commercial VPN ranges, specifically using services like Windscribe and NordVPN, geolocated in Israel. This strategic move likely aimed to bypass geo-restrictions and reduce alerts associated with foreign access attempts.

By leveraging legitimate accounts, the attackers could access personal email content and other sensitive cloud information without generating the “noise” typically associated with malware delivery or destructive actions. The primary focus remained Israeli municipalities, both in terms of the number of organizations targeted and the volume of password-spraying attempts, though government, energy, and private sector entities were also compromised.
What You Should Do
- Implement Multi-Factor Authentication (MFA): Enforce MFA across all Microsoft 365 accounts, especially for administrative roles, as it is the most effective defense against credential theft.
- Strengthen Password Policies: Mandate complex, unique passwords and regularly rotate them. Consider passwordless authentication solutions.
- Monitor Sign-in Logs: Actively monitor and analyze sign-in logs for unusual patterns, such as numerous failed login attempts across different accounts originating from a single source or multiple sources, or successful logins from unexpected geographic locations.
- Apply Location-Based Access Controls: Restrict access to Microsoft 365 services based on geographical location, blocking access from known high-risk regions or Tor exit nodes where feasible.
- Block Tor Traffic: Configure network defenses to block or flag connections originating from Tor exit nodes.
- Enable Comprehensive Audit Logging: Ensure all audit logs are enabled and retained for an extended period to facilitate thorough post-compromise investigations.
- User Education: Train employees on the importance of strong passwords and the risks associated with credential-based attacks.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.