Iran targets M365 accounts with password-spraying attacks

Tue 31 Mar 2026 // 19:09 UTC

Suspected Iran-linked threat actors are conducting password-spraying attacks against hundreds of organizations, primarily Middle Eastern municipalities, in campaigns that security researchers believe may have been aimed at supporting bomb-damage assessment following missile strikes.

Tel Aviv-based Check Point Research on Tuesday said that the attackers used multiple source IP addresses to target numerous Microsoft 365 accounts, affecting more than 300 organizations in Israel and more than 25 in the United Arab Emirates. While most of the password spraying hit these two Middle Eastern countries, the researchers tracked similar activity from the same attacker against a "limited number" of targets in the US, Europe, and Saudi Arabia.

The attacks happened in three waves - March 3, March 13, and March 23 - and Iran-linked groups, including the Islamic Revolutionary Guard Corps' Peach Sandstorm and Gray Sandstorm, are known to use this method to gain initial access to victims' Microsoft 365 environments and steal sensitive information.

While Israel's municipal sector bore the brunt of the password-spraying attacks, other industries, including technology (63 attempts), transportation and logistics (32), healthcare (28), and manufacturing (28), were also targeted.
...
https://www.theregister.com/2026/03/31/iran_password_spraying_m365/?utm_source=dlvr.it&utm_medium=bluesky