What Happened

An advanced persistent threat (APT) group with ties to Iran is carrying out a password-spraying campaign aimed at Microsoft 365 environments. The campaign targets organizations in Israel and the United Arab Emirates (U.A.E.) aligned with ongoing regional conflicts. Check Point Research identified the attacks occurring in three distinct waves on March 3, March 13, and March 23, 2026, indicating a prolonged and organized effort.

According to the report, the focus on Microsoft 365 environments suggests a strategic interest in gaining access to sensitive information stored within enterprise email accounts and associated cloud services. These attacks coincide with rising geopolitical tensions, underscoring the potential motivations of state-sponsored intelligence gathering.

Technical Details

The threat actor employed a password-spraying technique, which involves attempting to access many accounts with a small number of commonly used passwords. This method is effective at exploiting weak security policies, especially in organizations that do not enforce strong password requirements.

Indicators of Compromise (IOCs) include anomalous logins from IP addresses associated with Iranian infrastructure and login attempts occurring across various IP ranges. The attack did not leverage any specific vulnerabilities, but rather took advantage of risky password policies and inadequate monitoring procedures. As a result, no CVE IDs are associated with this campaign. However, organizations affected are using older, improperly configured Microsoft 365 setups, lacking strong threat detection measures.

Check Point highlighted that the attack vector requires the absence of multi-factor authentication (MFA), making this a critical factor for organizations to address in improving security.

Impact

The campaign primarily targets sectors likely to hold strategic or military value in the ongoing Middle Eastern conflict, including defense contractors, government agencies, and technology firms. The scale of the attack is significant, given the importance of the regions and industries affected.

If successful, the attacks could lead to unauthorized access to sensitive emails and documents, jeopardizing confidential communications and strategic initiatives of the targeted nations. This breach of security has broader implications for regional stability and the protection of critical infrastructure.

What To Do

  • Implement Multi-Factor Authentication (MFA): Enforce MFA for all staff to mitigate risk from password-spraying attacks.
  • Review and Strengthen Password Policies: Mandate strong, unique passwords across the organization to reduce password guessability.
  • Monitor Anomalous Activity: Utilize security information and event management (SIEM) tools to detect unusual login patterns and promptly investigate anomalies.
  • Geo-Blocking: Consider blocking logins from Iranian IP addresses if they are not necessary for business operations.
  • Regular Security Audits: Perform regular security audits to identify and patch weaknesses in cloud service configurations.
  • User Training: Conduct regular cybersecurity awareness training sessions to educate employees on recognizing phishing attempts and the importance of password hygiene.

Taking these steps is crucial for organizations to defend against this and similar campaigns in the future. Given the ongoing nature of the threat, continually updating defense mechanisms and awareness programs is necessary to safeguard sensitive information from state-sponsored cyber espionage efforts.

Related: