Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations

Summary

An Iran-nexus threat actor conducted a three-wave password-spraying campaign targeting Microsoft 365 environments across Israel (300+ orgs), the U.A.E. (25+), and limited targets in Europe, US, UK, and Saudi Arabia in March 2026. The attacks, attributed to groups like Gray Sandstorm, exploited Tor exit nodes and commercial VPN infrastructure to bypass rate-limiting and harvest credentials. The disclosure coincides with Pay2Key ransomware gang (Iran-linked) resurfacing with upgraded variants targeting U.S. healthcare, signaling increased Iranian cyber operations amid geopolitical tensions.

Full text

Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations Ravie LakshmananApr 06, 2026Cloud Security / Ransomware An Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E. amid ongoing conflict in the Middle East. The activity, assessed to be ongoing, was carried out in three distinct attack waves that took place on March 3, March 13, and March 23, 2026, per Check Point. "The campaign is primarily focused on Israel and the U.A.E., impacting more than 300 organizations in Israel and over 25 in the U.A.E.," the Israeli cybersecurity company said. "Activity associated with the same actor was also observed against a limited number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia." The campaign is assessed to have targeted the cloud environments of government entities, municipalities, technology, transportation, energy sector organizations, and private-sector companies in the region. Password spraying is a form of brute-force attack where a threat actor attempts to use a single common password against multiple usernames on the same application. It's also considered a more effective way to discover weak credentials at scale without triggering rate-limiting defenses. Check Point said the technique is known to be adopted by Iranian hacking groups like Peach Sandstorm and Gray Sandstorm (formerly DEV-0343) in the past to infiltrate target networks. The campaign essentially unfolds over three phases: aggressive scanning or password-spraying conducted from Tor exit nodes, followed by conducting the login process, and exfiltrating sensitive data, such as mailbox content. "Analysis of M365 logs suggests similarities to Gray Sandstorm, including the use of red-team tools to conduct these attacks via Tor exit nodes," Check Point said. "The threat actor used commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), which aligns with recent activity tied to Iran-nexus operations in the Middle East." To counter the threat, organizations are advised to monitor sign-in logs for signs of password spraying, apply conditional access controls to limit authentication to approved geographic locations, enforce multi-factor authentication (MFA) for all users, and enable audit logs for post-compromise investigation. Iran Revives Pay2Key Operations The disclosure comes as a U.S. healthcare organization was targeted in late February 2026 by Pay2Key, an Iranian ransomware gang with ties to the country's government. The ransomware-as-a-service (RaaS) operation, which has ties to the Fox Kitten group, first emerged in 2020. The variant deployed in the attack is an upgrade from prior campaigns observed in July 2025, using improved evasion, execution, and anti-forensics techniques to achieve its goals. According to Beazley Security and Halcyon, no data was exfiltrated during the attack, a shift from the group's double extortion playbook. The attack is said to have leveraged an undetermined access route to breach the organization, using a legitimate remote access tool like TeamViewer to establish a foothold, then harvest credentials for lateral movement, disarm Microsoft Defender Antivirus by falsely signaling that a third-party antivirus product is active, inhibit recovery, deploy ransomware, drop a ransom note, and clear logs to cover up the tracks. "By clearing logs at the end of execution rather than the beginning, the actors ensure that even the ransomware's own activity is wiped, not just whatever preceded it," Halcyon said. Among the key changes the group enacted following its return last year was offering affiliates an 80% cut of ransom proceeds, up from 70%, for participating in attacks targeting Iran's enemies. A month later, a Linux variant of the Pay2Key ransomware was detected in the wild. "The sample is configuration-driven, requires root-level privileges to execute, and is engineered to traverse broad file system scope, classify mounts, and encrypt data using ChaCha20 in full or partial modes," Morphisec researcher Ilia Kulmin said in a report published last month. "Before encryption, it weakens defenses and removes friction by stopping services, killing processes, disabling SELinux and AppArmor, and installing a reboot-time cron entry. This lets the encryptor run faster and survive restarts." In March 2026, Halcyon also revealed that the administrator of Sicarii ransomware, Uke, urged pro-Iranian operators to use Baqiyat 313 Locker (aka BQTlock) due to the influx of affiliate requests. BQTLock, which operates with pro-Palestinian motives, has targeted the U.A.E., the U.S., and Israel since July 2025. "Iran has a long track record of using cyber operations to retaliate against perceived political slights," the cybersecurity company said. "Ransomware is increasingly incorporated into these operations, with ransomware campaigns that blur the line between criminal extortion and state-sponsored sabotage." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Cloud security, cybersecurity, data exfiltration, healthcare, Iran, Malware, Microsoft 365, Password Spraying, ransomware Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• malware — Pay2Key
• malware — BQTlock (Baqiyat 313 Locker)
• malware — BPFDoor

Entities