Iran-Linked Threat Actor Conducts Widespread Password-Spraying Campaign Against Microsoft 365

A sophisticated threat actor with suspected ties to Iran has been actively conducting a widespread password-spraying campaign against Microsoft 365 environments. The campaign, which has occurred in at least three distinct waves since early March 2026, primarily targets organizations in Israel and the United Arab Emirates, with a notable focus on government entities, municipalities, and critical infrastructure sectors. This activity is assessed to be ongoing and represents a significant effort to compromise cloud-based credentials at scale.

The observed attack methodology involves aggressive scanning and password spraying, often originating from Tor exit nodes to obscure the actor's origin. Following successful credential acquisition, the threat actor proceeds with logging into compromised accounts and subsequently exfiltrating sensitive data, such as mailbox contents. Analysis of Microsoft 365 logs indicates similarities to known Iranian threat groups, including the use of red-team tools and commercial VPN nodes, suggesting a well-resourced and coordinated operation.

The primary impact of this campaign is the potential compromise of sensitive data and disruption of operations for hundreds of organizations across Israel and the UAE. The targeting of government and critical infrastructure sectors elevates the risk to national security and public services. While the immediate focus appears to be on credential harvesting and data exfiltration, the underlying capabilities could be leveraged for more destructive purposes, especially given the geopolitical context.

For security teams, this campaign underscores the persistent threat of password-spraying attacks, particularly against cloud services. Organizations should prioritize robust credential hygiene, including strong, unique passwords and the widespread adoption of multi-factor authentication (MFA). Monitoring sign-in logs for anomalous activity, such as repeated failed login attempts from unusual locations or using common passwords, is crucial for early detection. Implementing conditional access policies that restrict access based on geographic location can further mitigate risks.

In conclusion, the ongoing password-spraying campaign highlights the evolving tactics of Iran-nexus threat actors in their pursuit of sensitive data from critical organizations. The observed use of sophisticated techniques to bypass defenses necessitates a proactive and layered security approach, focusing on strong authentication, continuous monitoring, and rapid incident response to counter these persistent threats effectively.