Tuesday, April 7, 2026
Latest:

Threatshub.org sponsored-Post

The Register

Iran targets M365 accounts with password-spraying attacks

TH Author

Suspected Iran-linked threat actors are conducting password-spraying attacks against hundreds of organizations, primarily Middle Eastern municipalities, in campaigns that security researchers believe may have been aimed at supporting bomb-damage assessment following missile strikes.

Tel Aviv-based Check Point Research on Tuesday said that the attackers used multiple source IP addresses to target numerous Microsoft 365 accounts, affecting more than 300 organizations in Israel and more than 25 in the United Arab Emirates. While most of the password spraying hit these two Middle Eastern countries, the researchers tracked similar activity from the same attacker against a “limited number” of targets in the US, Europe, and Saudi Arabia.

The attacks happened in three waves – March 3, March 13, and March 23 – and Iran-linked groups, including the Islamic Revolutionary Guard Corps’ Peach Sandstorm and Gray Sandstorm, are known to use this method to gain initial access to victims’ Microsoft 365 environments and steal sensitive information.

While Israel’s municipal sector bore the brunt of the password-spraying attacks, other industries, including technology (63 attempts), transportation and logistics (32), healthcare (28), and manufacturing (28), were also targeted.

Municipalities play a major role in responding to missile-related physical damage, and Check Point also noted some correlation between the orgs targeted with password spraying and cities targeted by missile attacks. “This suggests the campaign was likely intended to support kinetic operations and Bombing Damage Assessment (BDA) efforts,” the researchers wrote.

The first stage in the attack – password spraying – involves blasting hundreds of organizations’ Microsoft accounts with weak passwords. The attackers perform these scans using frequently changed Tor exit nodes with a User-Agent that masquerades as Internet Explorer 10 (IE10): Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0).

Once the attackers find credentials that work, they log in from multiple VPN IP addresses (Windscribe IP range 185.191.204.X or NordVPN IP range 169.150.227.X) geolocated in Israel to evade restrictions based on geography.

They then use the valid credentials to access personal email communications and other sensitive data.

“Analysis of M365 logs suggest similarities to Gray Sandstorm, including the use of red-team tools to conduct these attacks via Tor exit nodes,” the threat hunters wrote, adding that the attacker also used commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), infrastructure that has appeared in recent suspected Iran-linked cyber operations in the Middle East.

The password spraying attacks come as another Iran-linked group hacked FBI Director Kash Patel’s personal email account and claimed to have leaked his resume and photos, warning, “This is just our beginning.”

Handala Hack, a crew behind the destructive Stryker cyberattack with ties to Iran’s intelligence agency, posted Patel’s data on their website on Friday. The FBI and friends briefly disrupted the group’s websites a week earlier, but they spun up new domains within days. ®

READ MORE HERE