What is password spraying?

Password spraying is a type of cyberattack where a threat actor attempts to use a single, commonly used password (like 'Password123') to log into many different user accounts. This method is designed to avoid triggering account lockout policies that happen after multiple failed attempts on a single account.

Why is Microsoft 365 such a common target for these attacks?

Microsoft 365 is targeted because of its widespread adoption by corporations and governments worldwide. It centralizes valuable data, including emails, documents, and user identities, making it a high-value target for nation-state actors seeking to conduct espionage or disrupt operations.

Is having a strong, unique password enough to protect my account from this type of attack?

While a strong password is a good start, it is not sufficient on its own. The most effective defense against password spraying and other credential-based attacks is Multi-Factor Authentication (MFA). MFA requires a second form of verification, such as a code from a mobile app, which an attacker won't have even if they guess your password.

How do attackers hide their location during these campaigns?

Attackers obscure their true geographic location and identity by routing their traffic through a network of proxies, compromised computers, and commercial VPN services. This makes it difficult for security teams to block the attack based on IP addresses and complicates the process of attributing the attack to a specific group or nation.

Iran-linked password spraying campaign targets hundreds of Israeli Microsoft 365 tenants

Geopolitical tensions spill into cyberspace

A persistent and widespread password-spraying campaign is targeting hundreds of Microsoft 365 environments in Israel and the United Arab Emirates. Cybersecurity firm Check Point has attributed the activity to an Iran-nexus threat actor, linking the operation to the ongoing geopolitical conflict in the Middle East. The campaign represents a significant effort to gain initial access to a wide array of organizations for intelligence gathering and potential future operations.

According to a report from Check Point, the activity has been ongoing, with researchers identifying three distinct attack waves on March 3, March 13, and March 23, 2026. The attackers are systematically targeting over 300 organizations, indicating a coordinated and well-resourced operation. This campaign does not rely on sophisticated zero-day exploits but rather on a classic, high-volume technique that preys on weak identity security practices, proving once again that foundational security measures are paramount.

Technical details: A low-and-slow assault on the cloud

The primary attack vector is password spraying, a method distinct from a typical brute-force attack. Instead of trying thousands of passwords against a single user account, password spraying involves attempting a small number of common passwords (e.g., "Winter2026!", "Q12026", "Password123") against a very large list of user accounts. This "low-and-slow" approach is designed to circumvent security policies that lock out an account after a few failed login attempts, making it much harder to detect.

Microsoft 365 is a high-value target for several reasons. Its ubiquity in the corporate and government world means it holds a treasure trove of sensitive data, from internal emails and strategic documents to contact lists and personal information. For a nation-state actor, compromising an organization's cloud tenant is equivalent to gaining a persistent foothold inside its digital headquarters.

The TTPs (Tactics, Techniques, and Procedures) observed in this campaign align with previously documented Iranian state-sponsored groups like Phosphorus (APT35) and MuddyWater. These groups are known for their proficiency in credential harvesting and social engineering. Key technical markers of the campaign include:

Obfuscated Origins: To mask their true location and evade simple IP-based blocking, the attackers are routing their malicious login attempts through a distributed network of proxy servers and commercial VPN service providers. This makes attribution difficult and complicates defensive measures for security teams.
Reconnaissance: Before the attacks, the threat actor likely conducted extensive open-source intelligence (OSINT) gathering to build lists of target email addresses. This often involves scraping company websites, professional networking sites like LinkedIn, and other public sources to determine valid account usernames.
Post-Compromise Actions: Once an account is successfully compromised, the goal shifts from access to persistence and data exfiltration. Attackers have been observed creating new inbox rules to automatically forward sensitive emails to external accounts they control. In other cases, they attempt to enroll their own device for multi-factor authentication (MFA) on the compromised account, effectively locking out the legitimate user and securing their own access.

A particularly dangerous post-compromise technique is the abuse of OAuth applications. Attackers can trick a user into granting consent to a malicious third-party application, which then receives persistent access tokens to read mailbox data, access files in OneDrive, and perform other actions on behalf of the user, often without needing the user's password for future access.

Impact assessment: Espionage and strategic positioning

The primary impact of this campaign is widespread espionage. The attackers are likely seeking intelligence related to government policy, military operations, critical infrastructure, and advanced technology. The sectors targeted are broad, spanning from government and defense contractors to technology firms and financial services. A successful breach of any of these organizations could provide Tehran with a significant strategic advantage.

The severity of the impact on a compromised organization can be immense:

Data Exfiltration: The theft of intellectual property, state secrets, and sensitive commercial data can lead to severe economic and national security repercussions.
Foundation for Future Attacks: Gaining initial access is often just the first step. A compromised M365 account can be used as a launchpad for more destructive attacks, such as deploying ransomware, wiping data, or conducting sophisticated business email compromise (BEC) fraud.
Supply Chain Risk: If an IT service provider or a company with a wide partner network is compromised, the threat actor can leverage that access to attack connected organizations, creating a cascading effect.

For individuals within these organizations, the compromise of their work account can lead to the exposure of personal data and make them targets for further social engineering or blackmail. The scale of this campaign—targeting over 300 organizations—indicates an effort to cast a wide net, gathering as much intelligence as possible while probing for high-value targets for deeper penetration.

How to protect yourself: Raising the cost of entry

Defending against password spraying requires a focus on strong identity and access management. While the threat is persistent, the following actionable steps can dramatically reduce the risk of a successful compromise.

Enforce Multi-Factor Authentication (MFA): This is the single most effective defense. Even if an attacker guesses a correct password, they cannot access the account without the second factor (e.g., a code from an app, a physical key). Enforce MFA for all users, without exception, especially for administrative accounts.
Implement Conditional Access Policies: Use Microsoft's Conditional Access features to block or challenge authentication attempts from anomalous or high-risk sources. This can include blocking logins from countries where your organization does not operate, requiring MFA for logins from unfamiliar networks, or flagging sign-ins from anonymizing services.
Monitor Sign-in and Audit Logs: Actively monitor Microsoft 365 and Azure AD logs for signs of password spraying. Look for high numbers of failed login attempts from disparate IP addresses against multiple accounts. Investigate successful logins from unusual locations immediately. Alerts for new MFA device registrations or the creation of suspicious mail forwarding rules are critical indicators of compromise.
Eliminate Weak and Common Passwords: Implement password policies that block users from choosing easily guessable passwords. Use Azure AD Password Protection to block common passwords and custom terms relevant to your organization (e.g., your company name, local sports teams).
Conduct User Training: Educate employees on the importance of password hygiene and how to spot phishing attempts. While password spraying doesn't require user interaction, a compromised account is often used to phish other employees internally, where trust levels are higher.
Audit OAuth Application Consents: Regularly review and revoke permissions for third-party applications that have access to your M365 environment. Limit the ability of standard users to grant consent to new applications.

This campaign is a stark reminder that even well-established attack techniques remain effective when foundational security controls are absent. As nation-states continue to use cyberspace as an arena for conflict, organizations must prioritize identity security to protect their most valuable assets.