Iran-Linked Threat Actors Conduct Password-Spraying and Ransomware Attacks

A sophisticated, Iran-nexus threat actor has been observed conducting a large-scale password-spraying campaign targeting over 300 Microsoft 365 organizations in Israel and more than 25 in the U.A.E. This activity, which occurred in three distinct waves in March 2026, also saw limited targeting in Europe, the United States, the United Kingdom, and Saudi Arabia. The campaign leverages common passwords against multiple usernames to bypass security measures and gain initial access to cloud environments, with a focus on government, technology, transportation, and energy sector entities.

The attack methodology involves aggressive scanning and password-spraying, often originating from Tor exit nodes, followed by login attempts and subsequent data exfiltration, primarily mailbox content. Analysis of Microsoft 365 logs suggests similarities to the tactics employed by Gray Sandstorm (formerly DEV-0343), including the use of red-team tools and commercial VPN nodes associated with Iran-nexus operations. This approach is designed to be stealthy and effective in identifying weak credentials at scale without immediately triggering defensive alerts.

The primary impact of this campaign is the potential compromise of sensitive data and disruption of operations for hundreds of organizations across multiple sectors and geographic regions. The targeting of critical infrastructure and government entities in Israel and the U.A.E. during a period of geopolitical tension elevates the risk. The broader implications include the potential for espionage, further network intrusion, and the disruption of essential services, underscoring the significant threat to national security and economic stability.

Security teams should prioritize monitoring Microsoft 365 sign-in logs for anomalous activity indicative of password spraying and brute-force attempts. Implementing robust conditional access policies, enforcing multi-factor authentication (MFA) for all users, and enabling comprehensive audit logging are critical defensive measures. Understanding the actor's use of Tor and commercial VPNs is essential for refining detection rules and network traffic analysis to identify and block malicious access attempts.

In conclusion, the observed password-spraying campaign and the resurgence of the Pay2Key ransomware group underscore the persistent and evolving threat posed by Iran-linked cyber actors. These operations, characterized by sophisticated techniques and strategic targeting, necessitate a proactive and layered defense strategy to protect critical digital assets and maintain operational resilience in the face of state-sponsored cyber aggression.