More than 300 Israeli organizations. That’s the tally from Check Point on this Iran-linked password-spraying spree against Microsoft 365.
Targets? Government offices, tech firms, energy outfits. All in the crosshairs amid the endless Middle East mess.
And here’s the kicker—it’s not a one-off. Three waves: March 3, 13, and 23, 2026. Persistent little devils.
Why Password Spraying? Because Brute Force is for Amateurs
Password spraying. You know, guessing one common password—like ‘Password123’—across hundreds of accounts. Sneaky. Beats slamming doors and tripping alarms.
Iranian crews love it. Peach Sandstorm, Gray Sandstorm—they’ve pulled this before. Tor exit nodes hide their tracks. Commercial VPNs from some shady AS35758 add cover.
Check Point nailed it:
“The campaign is primarily focused on Israel and the U.A.E., impacting more than 300 organizations in Israel and over 25 in the U.A.E.”
Spot on. But let’s call it what it is: digital guerrilla warfare. Low-tech entry for high-stakes chaos.
They scan aggressively. Spray logins. Snag mailboxes if they hit paydirt. Rinse, repeat from the dark web.
Organizations in the U.A.E. (25+), plus sprinkles in Europe, U.S., UK, Saudi. No one’s safe when geopolitics turns keyboards into weapons.
Look.
This isn’t sophisticated zero-days. It’s opportunistic crap. But effective against lazy password habits.
My unique take? Echoes of Stuxnet’s shadow— Iran’s cyber playbook flipped from destruction to disruption. Back then, they built worms. Now? Credential stuffing. Evolution, or just budget cuts?
How Do These Iranian Ops Actually Work?
Phase one: Scan like maniacs from Tor. Phase two: Login attempts. Phase three: Exfil data. Mailbox dumps, anyone?
Similarities to Gray Sandstorm scream loud. Red-team tools. Tor. That VPN provider? Rachamim Aviel Twito’s outfit—tied to Iran nexus before.
But Microsoft’s cloud? Vast. Juicy. Governments dump everything there. No wonder it’s prime real estate for spies.
Defenses? Monitor sign-in logs. Geo-fence access. MFA everywhere. Audit logs on. Duh.
Yet here’s the dry humor: If you’re still single-factor in 2026, you’re basically handing out keys at the border.
And it spills over. U.A.E. feels the heat too. Regional grudge match, cyber-style.
Slow down.
This ties into broader Iranian revival. Pay2Key ransomware back in action. Hit a U.S. healthcare org in February 2026.
Upgraded variant. Better evasion. TeamViewer for entry (clever). Kills Defender by faking another AV. Encrypts, notes, wipes logs—at the end, no less.
“By clearing logs at the end of execution rather than the beginning, the actors ensure that even the ransomware’s own activity is wiped, not just whatever preceded it,” Halcyon said.
Smart twist. Covers tracks post-ransack.
Pay2Key—tied to Fox Kitten, UNC757. RaaS model. Now 80% cut for affiliates hitting Iran’s foes. Linux version too. ChaCha20 encryption. Kills SELinux. Nasty.
Sicarii’s Uke pushes BQTlock for pro-Iran ops. Pro-Palestinian angle. UAE, U.S., Israel in sights since 2025.
Iran’s MO: Cyber retaliation. Ransomware blurs crime and statecraft. Sabotage with a payday.
Is This the New Normal for Middle East Cyberwars?
Bold prediction: Expect more. Conflict drags on, hacks escalate. Password sprays today, wipers tomorrow.
Corporate spin? Microsoft’s quiet—probably scrambling. Check Point’s report is gold, but where’s the vendor mea culpa?
History parallel: Remember Shamoon? Saudi Aramco wipeout, 2012. Iran style. Now it’s stealthier, cloud-focused.
Organizations, wake up. That MFA nag? Ignore it, and you’re Iranian hacker bait.
U.A.E. and Israel hardening? Good. But sprawl in M365 invites trouble. Geo-blocks. Zero-trust. Now.
And the humor? Hackers using TeamViewer like it’s a VPN. Lazy geniuses.
But seriously—over 300 hits. That’s not probing. That’s probing with intent.
Pay2Key skipping exfil this time? Maybe testing waters. Or pivot to pure disruption.
Iran’s ecosystem thrives: Sandstorms, Kittens, now RaaS gangs with patriotic discounts. State wink-nod funding?
Defending Against Iranian Password Sprays
Step one: Logs. Watch for sprays—odd logins, Tor IPs.
Conditional access. Block sketchy geos.
MFA. Non-negotiable.
Audit everything. Hunt post-breach.
Tools? Entra ID alerts. SIEM magic.
Don’t be the low-hanging fruit. Because Iran-linked actors? They’re orchard-picking.
And ransomware side? Patch RATs like TeamViewer. AV tweaks won’t save you alone.
This campaign reeks of escalation. Three waves in weeks. Tied to tensions.
Skeptical eye: Check Point’s assessment solid, but actor attribution? ‘Suspected.’ Fog of cyberwar.
Still, patterns match. Ignore at peril.
🧬 Related Insights
- Read more: What to Watch This Week: Ransomware Reloads, Vulns Ignite, Nation-States Strike
- Read more: QR Code Traps and Ghost Joins: Inside the NCSC’s Warning on WhatsApp and Signal Hacks
Frequently Asked Questions
What is a password-spraying attack?
It’s trying one weak password across many accounts. Avoids lockouts. Perfect for scale.
How to stop Iranian hackers targeting Microsoft 365?
Enforce MFA, geo-restrict logins, monitor logs religiously. No exceptions.
Is Pay2Key ransomware linked to Iran government?
Yes, ties to state-backed groups like Fox Kitten. Now RaaS with geopolitical targeting.
