A threat actor with links to Iran is suspected of orchestrating a widespread password-spraying campaign targeting Microsoft 365 environments in Israel and the United Arab Emirates. This activity, which cybersecurity firm Check Point assesses as ongoing, coincides with the heightened tensions in the Middle East. The campaign was executed in three distinct waves on March 3, March 13, and March 23, 2026, demonstrating a persistent and coordinated effort to breach organizational defenses.
The attackers employed a classic password-spraying technique, a form of brute-force attack that avoids account lockouts by trying a single common password against a vast number of usernames before moving on to the next password. This method is particularly effective against organizations without robust password policies or multi-factor authentication (MFA). The campaign primarily targeted over 300 Israeli organizations across various sectors, including government, military, finance, and law firms, aiming to gain initial access to corporate networks for potential espionage or disruptive operations.
Check Point's analysis revealed that the threat actor utilized a list of known default and weak passwords, spraying them against user accounts identified through open-source intelligence (OSINT) and potentially previous data breaches. The use of residential proxy networks helped obfuscate the attack sources, making detection more difficult. This campaign underscores a continued focus by Iran-aligned groups on intelligence gathering and cyber espionage against regional adversaries, leveraging relatively simple but effective techniques to exploit common security weaknesses.
Organizations are urged to implement immediate defensive measures. Enforcing strong, unique passwords and universally deploying multi-factor authentication (MFA) are the most critical steps to mitigate such attacks. Additionally, security teams should monitor for anomalous sign-in attempts, particularly those originating from unfamiliar locations or proxy services, and consider implementing conditional access policies that require additional verification for risky sign-ins. This incident serves as a stark reminder that foundational security hygiene remains the most effective defense against a majority of opportunistic cyber intrusions.
