{"id":513,"date":"2026-04-06T19:54:38","date_gmt":"2026-04-06T19:54:38","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=513"},"modified":"2026-04-06T19:54:38","modified_gmt":"2026-04-06T19:54:38","slug":"iran-linked-password-spraying-campaign-targets-300-israeli-microsoft-365-organizations","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=513","title":{"rendered":"Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations"},"content":{"rendered":"
\n
<\/a><\/div>\n

An\u00a0Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E. amid\u00a0ongoing conflict in the Middle\u00a0East.<\/p>\n

The\u00a0activity, assessed to be ongoing, was carried out in three distinct attack waves that took place on March 3, March 13, and March 23, 2026, per Check\u00a0Point.<\/p>\n

\u00abThe campaign is primarily focused on Israel and the U.A.E., impacting more than 300 organizations in Israel and over 25 in the U.A.E.,\u00bb the Israeli cybersecurity\u00a0company said<\/a>. \u00abActivity associated with the same actor was also observed against a limited number of targets in Europe, the United States, the United Kingdom, and Saudi\u00a0Arabia.\u00bb<\/p>\n

The\u00a0campaign is assessed to have targeted the cloud environments of government entities, municipalities, technology, transportation, energy sector organizations, and private-sector companies in the\u00a0region.<\/p>\n

Password spraying is a form of brute-force attack where a threat actor attempts to use a single common password against multiple usernames on the same application. It’s also considered a more effective way to discover weak credentials at scale without triggering rate-limiting\u00a0defenses.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Check\u00a0Point said the technique is known\u00a0to be adopted by Iranian hacking groups\u00a0like Peach\u00a0Sandstorm\u00a0and Gray\u00a0Sandstorm (formerly DEV-0343) in the past to infiltrate target\u00a0networks.<\/p>\n

The\u00a0campaign essentially unfolds over three phases: aggressive scanning or password-spraying conducted from Tor exit nodes, followed by conducting the login process, and exfiltrating sensitive data, such as mailbox\u00a0content.\u00a0<\/p>\n

\u00abAnalysis of M365 logs suggests similarities\u00a0to Gray\u00a0Sandstorm, including the use of red-team tools to conduct these attacks via Tor exit nodes,\u00bb Check Point said. \u00abThe threat actor used commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), which aligns with recent activity tied to Iran-nexus operations in the Middle\u00a0East.\u00bb<\/p>\n

\"\"<\/a><\/div>\n

To\u00a0counter the threat, organizations are advised to monitor sign-in logs for signs of password spraying, apply conditional access controls to limit authentication to approved geographic locations, enforce multi-factor authentication (MFA) for all users, and enable audit logs for post-compromise investigation.<\/p>\n

Iran Revives Pay2Key Operations<\/h3>\n

The\u00a0disclosure comes as a U.S. healthcare organization was targeted in late February 2026\u00a0by Pay2Key, an Iranian ransomware gang with ties to the country’s government. The\u00a0ransomware-as-a-service (RaaS) operation, which has ties to the Fox Kitten group, first emerged in\u00a02020.<\/p>\n

The\u00a0variant deployed in the attack is an upgrade from prior\u00a0campaigns observed in July 2025, using improved evasion, execution, and anti-forensics techniques to achieve its goals. According to Beazley Security and Halcyon, no data was exfiltrated during the attack, a shift from the group’s double extortion\u00a0playbook.\u00a0<\/p>\n

The\u00a0attack is said to have leveraged an undetermined access route to breach the organization, using a legitimate remote access tool like TeamViewer to establish a foothold, then harvest credentials for lateral movement, disarm Microsoft Defender Antivirus by falsely signaling that a third-party antivirus product is active, inhibit recovery, deploy ransomware, drop a ransom note, and clear logs to cover up the\u00a0tracks.<\/p>\n

\u00abBy clearing logs at the end of execution rather than the beginning, the actors ensure that even the ransomware’s own activity is wiped, not just whatever preceded it,\u00bb\u00a0Halcyon said<\/a>.<\/p>\n

Among\u00a0the key\u00a0changes the group enacted following its return last year was offering affiliates an 80% cut of ransom proceeds, up from 70%, for participating in attacks targeting Iran’s enemies. A\u00a0month later, a Linux variant of the Pay2Key ransomware was detected in the\u00a0wild.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abThe sample is configuration-driven, requires root-level privileges to execute, and is engineered to traverse broad file system scope, classify mounts, and encrypt data using ChaCha20 in full or partial modes,\u00bb Morphisec researcher Ilia\u00a0Kulmin said<\/a> in a report published last\u00a0month.<\/p>\n

\u00abBefore encryption, it weakens defenses and removes friction by stopping services, killing processes, disabling SELinux and AppArmor, and installing a reboot-time cron entry. This\u00a0lets the encryptor run faster and survive restarts.\u00bb<\/p>\n

In\u00a0March 2026, Halcyon\u00a0also revealed<\/a> that the administrator\u00a0of Sicarii ransomware, Uke, urged pro-Iranian operators to use Baqiyat 313 Locker (aka BQTlock) due to the influx of affiliate requests. BQTLock, which operates with pro-Palestinian motives, has targeted the U.A.E., the U.S., and Israel since July\u00a02025.<\/p>\n

\u00abIran has a long track record of using cyber operations to retaliate against perceived political slights,\u00bb the cybersecurity\u00a0company said<\/a>. \u00abRansomware is increasingly incorporated into these operations, with ransomware campaigns that blur the line between criminal extortion and state-sponsored sabotage.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

An\u00a0Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E. amid\u00a0ongoing conflict in the Middle\u00a0East. The\u00a0activity, assessed to be ongoing,…<\/p>\n","protected":false},"author":1,"featured_media":514,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[6,491,1094,147,162,1093,78],"class_list":["post-513","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-campaign","tag-iranlinked","tag-israeli","tag-microsoft","tag-organizations","tag-passwordspraying","tag-targets"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=513"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/513\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/514"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}