How Iran-Aligned Actors Are Weaponizing Weak Credentials Against Microsoft 365

A Sustained, Escalating Iranian Cyber Offensive

Our threat research team at Hive Pro HiveForce Labs has been tracking a large-scale, Iran-aligned password spray campaign targeting Microsoft 365 environments across the Middle East, with spillover impact reaching organizations in the United States and Europe. The campaign struck in three deliberate waves — March 3, March 13, and March 23, 2026 — hitting over 300 entities in Israel and more than 25 in the UAE. The breadth of targeted sectors is staggering: government, energy, aviation, maritime, healthcare, finance, manufacturing, and more.

This is part of a sustained, escalating Iranian cyber offensive that Hive Pro has been documenting in depth. If you haven’t already, I encourage you to read our earlier research:

• Part 1: The Middle East Crisis — The Rapidly Escalating Iranian Cyber Threat
• Part 2: The Iranian Cyber War Intensifies

The attack I am detailing here is the operational culmination of that escalation. Let me walk you through exactly what happened, how the adversary operated, and — most importantly — how to tell if your organization is at risk.

Low Noise, Maximum Access

Password spraying is deceptively simple. Rather than hammering a single account with thousands of guesses — which triggers lockout policies and alerts — the attacker tests a small number of commonly used passwords (think “Password1!” or “Welcome2026”) across thousands of accounts. The math works in the attacker’s favor: in any sufficiently large organization, someone is using a weak password.

“In any sufficiently large organization, someone is using a weak password. The attacker only needs to be right once.”

This campaign executed that playbook at scale and with operational precision. Here is how the kill chain unfolded:

Phase 1: Reconnaissance Under Cover of Tor

The initial scanning phase used Tor exit nodes to anonymize traffic, rotating source IP addresses continuously to avoid detection. Attackers disguised their User-Agent string to mimic Internet Explorer 10 on Windows 7 — an antiquated browser fingerprint deliberately chosen to blend into legacy traffic patterns that many security tools treat as low-priority noise.

Phase 2: Exploitation via Geographically Disguised VPNs

Once valid credentials were harvested, the operators switched tactics entirely. They abandoned Tor — which would stand out during an authenticated session — and pivoted to commercial VPN services (Windscribe and NordVPN) using IP ranges geolocated within Israel itself. This was a calculated move to defeat conditional access policies that restrict logins to specific geographic regions. Malicious sessions appeared to originate from within trusted, domestic IP space.

Phase 3: Silent Intelligence Collection in Microsoft 365

With authenticated access established, the attackers did not detonate malware or trigger disruptive actions. They did something far more insidious: they simply logged in and read. Email communications, cloud-hosted documents, and potentially broader Microsoft 365 assets were silently accessed. No alerts were tripped. No anomalies surfaced — because from the platform’s perspective, it was a legitimate user.

Intelligence in Support of Kinetic Operations

The targeting pattern reveals something deeply unsettling. Israeli municipalities — specifically those that overlapped with cities struck by Iranian missile attacks in March 2026 — were the primary focus. This correlation suggests the cyber operation was not running in parallel with military operations by coincidence. It was actively supporting them, providing Bombing Damage Assessment (BDA) intelligence and likely feeding real-time situational awareness to Iranian operational planners.

The infrastructure was traced to AS35758 (Rachamim Aviel Twito), a network with prior associations to Iran-aligned operations. Attribution to an Iran-nexus threat actor is assessed with moderate confidence, with behavioral overlap consistent with the Gray Sandstorm cluster.

Tactics, Techniques & Procedures (MITRE ATT&CK Mapping)

The following table maps the observed behaviors to the MITRE ATT&CK framework. Understanding the technique IDs is critical for tuning your detection rules and validating your coverage:

A few of these deserve deeper context for defenders:

• T1110.003 (Password Spraying): The use of low-volume, distributed spraying across a massive account pool is specifically designed to fly under the radar of standard lockout policies. Your detection rules must look for horizontal patterns — same IP, many accounts — not just vertical lockout patterns on a single account.
• T1090.003 (Multi-hop Proxy): The Tor-to-VPN pivot is an important behavioral tell. Organizations that log only the final authentication IP miss the earlier Tor reconnaissance phase entirely, which represents a significant visibility gap.
• T1078.004 (Cloud Accounts): The abuse of valid cloud credentials means your endpoint detection and response tools will not see this attack. It lives entirely in the identity and access management layer.
• T1114.002 (Remote Email Collection): Post-access data collection was focused on email, making Microsoft Purview audit logging and anomalous OAuth token activity your primary detection surface.

Are You Vulnerable? How to Tell

The honest answer is that most organizations are at some degree of risk from this attack class. Password spraying against Microsoft 365 exploits a combination of human behavior (weak passwords), configuration gaps (missing MFA), and visibility blind spots (limited logging). Here is a practical checklist to assess your exposure:

1. Is MFA enforced tenant-wide?

This is the single highest-impact control. A compromised password is useless against phishing-resistant MFA. If any user account — especially privileged roles — can authenticate with only a password, you have an exploitable gap. Check: Azure Active Directory > Security > Conditional Access > Authentication Strength.

2. Are you monitoring for password spray patterns in sign-in logs?

Password spray has a distinctive signature: many authentication failures distributed across many distinct user accounts from the same source IP within a short time window. This is the inverse of a single-account lockout. Review your Microsoft 365 Unified Sign-In Logs or feed them into your SIEM with a detection rule specifically targeting this horizontal pattern.

3. Do your conditional access policies block Tor and anonymization networks?

Microsoft Entra ID (formerly Azure AD) supports IP-based conditional access. Maintaining and enforcing a block list for known Tor exit nodes and high-risk anonymization networks significantly raises the cost of the reconnaissance phase of this attack.

4. Is geo-fencing configured for Microsoft 365 authentication?

The attackers bypassed Israeli conditional access policies by using VPN exit nodes geolocated within Israel. If your geo-fencing policy is overly broad — for example, allowing any IP that appears to be domestic — you may be susceptible to the same bypass. Consider named location policies tied to known corporate IP ranges in addition to geo-based controls.

5. Do you have legacy authentication protocols disabled?

Legacy protocols (IMAP, POP3, Basic Auth) do not support MFA and are a common spray target. If they are enabled in your tenant, they represent an authentication path that entirely bypasses your modern conditional access controls.

6. Are these IOCs present in your environment?

Block and monitor for the following known-malicious IP addresses observed in this campaign:

What You Should Do Right Now

Beyond the diagnostic questions above, here are six prioritized actions your security team should take immediately:

• Enforce tenant-wide MFA across all user accounts, with phishing-resistant methods for privileged roles
• Enable and retain Microsoft 365 Unified Audit Logging (minimum 90 days; 1 year for high-risk roles)
• Block Tor exit nodes and anonymization networks via Conditional Access
• Conduct a password audit using a tool such as Microsoft Entra ID Password Protection to identify and remediate accounts with weak or previously breached credentials
• Add the IOCs above to your SIEM, firewall block lists, and endpoint protection tools immediately
• Review sign-in logs going back to March 3, 2026 for authentication attempts matching the spray pattern from the source IP ranges above

Cyber and Kinetic Operations Are Now Deeply Intertwined

What we are observing in the Middle East is a template for what nation-state actors will continue to bring to bear globally. Cyber and kinetic operations are now deeply intertwined. Iran’s operators are not just conducting espionage — they are supporting real-world military objectives with real-time digital intelligence.

The attack vector they are exploiting — password spraying against Microsoft 365 — is neither novel nor technically sophisticated. But it is devastatingly effective against organizations that have not closed the fundamentals: strong passwords, universal MFA, visibility into identity telemetry, and anomaly detection in the access layer.

If the events of March 2026 tell us anything, it is that threat actors are watching what works and what doesn’t — and they will keep spraying until someone makes the cost high enough to stop. The good news: the controls that defeat this attack are well understood and largely within reach for any organization willing to prioritize them.

The question is whether you close the gaps before the next wave hits — March 3, March 13, March 23 were their schedule. What’s yours?