Iran-Linked Hackers Spray 300+ Israeli M365 Tenants

An Iran-nexus threat actor has conducted a sustained password-spraying campaign against Microsoft 365 environments in Israel and the UAE, impacting more than 300 Israeli organizations and over 25 UAE entities according to Check Point research. Secondary activity targeted organizations in Europe, the United States, the United Kingdom, and Saudi Arabia.

The campaign executed in three distinct waves on March 3, 13, and 23, 2026, suggesting a coordinated operation with specific targeting objectives rather than opportunistic credential stuffing.

Attack Methodology

Password spraying differs from traditional brute-force attacks by attempting common passwords across many accounts simultaneously rather than trying many passwords against single accounts. This approach evades account lockout mechanisms that trigger after repeated failed attempts on individual accounts.

The attackers used frequently rotated Tor exit nodes for initial authentication attempts, with User-Agent strings masquerading as Internet Explorer 10—a dated browser choice that may evade some detection rules focused on modern browser fingerprints. Once valid credentials were identified, the attackers switched to VPN IP addresses geolocated in Israel, presumably to bypass geographic access restrictions.

This technique demonstrates operational security awareness. By separating the credential discovery phase (via Tor) from the access phase (via Israeli VPNs), the attackers complicate correlation between the two activities.

Targeted Sectors

Check Point's analysis identified targets across government entities, municipalities, technology companies, transportation, energy sector organizations, and private businesses. The breadth of targeting suggests strategic intelligence collection rather than financially motivated intrusion.

The timing and scope of the campaign coincide with heightened tensions in the region, though Check Point did not attribute the activity to a specific Iranian government unit. Known Iranian threat actors including Peach Sandstorm and Gray Sandstorm have historically used password spraying as an initial access vector for espionage operations targeting cloud environments.

Detection and Defense

Microsoft 365 administrators should review sign-in logs for indicators associated with this campaign:

• Failed authentication attempts from Tor exit nodes
• Successful logins from Israeli VPN providers without corresponding user travel
• Internet Explorer 10 User-Agent strings (uncommon in modern enterprise environments)
• Authentication patterns matching the March 3, 13, and 23 attack waves

Organizations with conditional access policies restricting authentication to known locations may have blocked the credential access phase, but attackers could still have validated credentials for future use.

Mitigation Recommendations

1. Enforce MFA universally - Password spraying becomes significantly harder when valid credentials alone aren't sufficient for access. Phishing-resistant MFA methods like FIDO2 security keys provide the strongest protection.

2. Implement password protection - Azure AD Password Protection can block commonly sprayed passwords at the point of creation.

3. Block legacy authentication - Internet Explorer 10 shouldn't appear in enterprise authentication logs. Legacy authentication protocols that don't support modern security features should be disabled.

4. Enable sign-in risk policies - Microsoft's Identity Protection can detect anomalous authentication patterns and require additional verification.

5. Monitor for impossible travel - Alert on authentication from Israel (or other expected locations) following recent Tor activity from the same account.

Regional Context

The campaign reflects ongoing cyber operations in the Middle East, where nation-state actors routinely target government and critical infrastructure organizations. Iranian threat actors in particular have demonstrated sustained interest in Microsoft 365 environments as repositories of sensitive communications and documents.

For organizations in the affected regions, this campaign should prompt a review of cloud security posture. Password-only authentication for cloud resources is increasingly untenable given the volume and sophistication of credential attacks.

The campaign's three-wave structure also suggests ongoing activity. Organizations that believe they were targeted should assume the attackers may attempt follow-up operations using any credentials successfully harvested during the spraying phases.

Check Point's research did not indicate whether any organizations suffered confirmed breaches as a result of the campaign. However, the operational pattern—credential harvesting followed by VPN-based access—suggests the attackers intended to establish persistent access rather than simply validate credentials.