Ddos 
Check Point Research (CPR) has been tracking an extensive password-spraying operation targeting Microsoft 365 environments, conducted by an Iran-linked threat actor with a specific focus on the Middle East.
The campaign was not a single event but a calculated, three-stage offensive. According to CPR, the attack volume peaked in three distinct waves throughout March 2026: March 3, March 13, and March 23.
Unlike traditional brute-force attacks that hammer a single account, this campaign utilized password spraying, a technique that targets multiple accounts across an organization with a set of commonly used passwords. By rotating through multiple source IP addresses, the attackers made it significantly harder for security teams to block them based on simple indicators.
What makes this campaign particularly alarming is its apparent connection to physical military actions. The researchers identified a disturbing trend: the primary targets were municipalities, which are essential for managing a city’s response to physical damage from missiles.
As the report explains:
“We observe some correlation between the targets of this campaign to cities that were targeted by missile attacks from Iran during March. This suggests the campaign was likely intended to support kinetic operations and Bombing Damage Assessment (BDA) efforts”.
By gaining access to local government emails and systems, the threat actors could potentially monitor how cities were responding to strikes in real-time, allowing them to measure the effectiveness of their physical weaponry.
The operation followed a highly disciplined three-phase cycle to bypass geographic and technical restrictions:
- Scan: Intensive spraying against hundreds of organizations was conducted through frequently changed Tor exit nodes to avoid being blacklisted.
- Infiltrate: Once valid credentials were found, the attackers used VPNs (specifically Windscribe and NordVPN) geolocated within Israel to evade geo-fencing protections.
- Exfiltrate: Finally, they leveraged these valid logins to access sensitive data, such as personal email content.
While the municipal sector was the primary focus, the campaign cast a wide net across Israel and the UAE. In total, over 300 organizations in Israel and more than 25 in the UAE were impacted. Other targeted sectors included:
- Technology & Software (63 organizations)
- Transportation, Logistics, & Aviation (32 organizations)
- Healthcare & Medical (28 organizations)
CPR assesses with “moderate confidence” that this activity aligns with Iranian interests and shares similarities with the known threat group Gray Sandstorm.
To defend against such persistent “double-threat” operations, security experts recommend several critical steps:
- Enforce Multi-Factor Authentication (MFA): This should be applied tenant-wide for all users, with even stricter controls for administrative roles.
- Geo-fencing and Tor Blocking: Use conditional access to restrict logins from unapproved geographic locations and block high-risk networks like Tor.
- Monitor for Anomalies: Keep a close watch on sign-in logs for multiple authentication failures across many accounts coming from the same source.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
