Critical Threat Research : The Iranian Cyber War Intensifies! 
Comprehensive Threat Exposure Management Platform
An Iran-linked threat actor conducted a large-scale password spray campaign targeting Microsoft 365 cloud environments across the Middle East, executing three coordinated attack waves on March 3, March 13, and March 23, 2026. This sophisticated credential-based intrusion campaign primarily targeted Israeli municipalities and organizations in the United Arab Emirates, impacting over 300 entities in Israel and more than 25 organizations in the UAE, representing one of the most significant password spray operations observed against cloud infrastructure in the region.
The password spray campaign leveraged a calculated methodology that tested a small number of commonly used passwords against extensive lists of user accounts across hundreds of target organizations. This approach deliberately avoids the detection signatures associated with traditional brute-force attacks, which typically generate high volumes of failed authentication attempts against individual accounts. Password spraying distributes authentication attempts across many accounts with few password attempts per account, staying below lockout thresholds and detection rules configured for single-account brute-force patterns.
The threat actor demonstrated sophisticated operational security tradecraft throughout the campaign. Initial reconnaissance and credential validation phases utilized Tor exit nodes to obfuscate the true origin of scanning activities, with traffic disguised using User-Agent strings mimicking Internet Explorer 10 on Windows 7 to blend into legitimate authentication traffic patterns. Once valid credentials were successfully identified through the password spray methodology, the attackers transitioned their infrastructure from anonymization networks to commercial VPN services including Windscribe and NordVPN, specifically leveraging IP address ranges geolocated within Israel to bypass geo-restriction policies and conditional access controls.
Post-authentication activity focused on intelligence collection rather than disruptive operations or malware deployment. The compromised Microsoft 365 accounts provided the threat actor with access to sensitive email communications, cloud-hosted documents, and potentially broader organizational data stored within Microsoft 365 environments. This low-noise, high-impact approach enabled sustained access to intelligence targets without triggering security alerts associated with malware deployment, lateral movement, or other overtly malicious activities commonly detected by endpoint security solutions.
Israeli municipalities emerged as the primary targeting focus, with notable correlation between cities targeted in this password spray campaign and locations impacted by Iranian missile strikes in March 2026. This geographic overlap suggests the cyber intrusion campaign may have been strategically coordinated with kinetic military operations, potentially supporting intelligence requirements for Bombing Damage Assessment operations, tactical planning, or strategic intelligence collection during the ongoing regional conflict between Iran and Israel.
The attack infrastructure supporting this campaign traced back to AS35758, operated by Rachamim Aviel Twito, a network entity previously associated with Iran-aligned cyber operations across the Middle East region. The tactical tradecraft observed in this campaign, including the use of Tor for initial access combined with VPN-based geolocation spoofing for persistence, closely mirrors operational patterns associated with Iran-nexus threat actors including Gray Sandstorm and similar groups operating in support of Iranian intelligence and military objectives.
The attack campaign employed password spraying as its primary credential compromise methodology, representing a calculated approach that prioritizes operational security over speed. Unlike traditional brute-force attacks that attempt numerous passwords against individual accounts and quickly trigger account lockout mechanisms, password spray attacks test a small number of commonly used passwords across extensive lists of potential user accounts. This distributed approach keeps failed authentication attempts below detection thresholds configured for individual accounts while maximizing the probability of successful credential compromise across the broader target population.
The campaign’s success hinged on a fundamental assumption validated through years of credential breach analysis: within any sufficiently large organization, a percentage of users will employ weak, commonly used passwords including seasonal passwords, simple keyboard patterns, organizational name-based passwords, and previously compromised credentials reused across multiple services. By targeting hundreds of organizations simultaneously with a curated list of high-probability passwords, the threat actor ensured that even modest success rates would yield substantial numbers of compromised accounts suitable for intelligence collection operations.
The attackers demonstrated patience and discipline in their methodology, executing the campaign in three discrete waves spaced approximately ten days apart on March 3, March 13, and March 23, 2026. This pulsed approach provided operational advantages including allowing time for compromised credentials to be exploited before detection, reducing the risk of pattern-based detection through sustained activity, enabling assessment of defensive responses and adjustment of tactics between waves, and maintaining operational security by limiting exposure windows for infrastructure and methodologies.
The initial reconnaissance and credential validation phases leveraged Tor exit nodes extensively to obfuscate the true geographic origin and operational infrastructure supporting the campaign. Tor, The Onion Router network, provides multi-layer encryption and routing through volunteer-operated relay nodes, making attribution and source identification extremely challenging for defenders. The threat actor rotated through constantly shifting Tor exit nodes, ensuring that authentication attempts appeared to originate from diverse, geographically distributed IP addresses rather than concentrated infrastructure that would raise immediate suspicion.
To further enhance operational security and blend into legitimate traffic patterns, the attackers configured their authentication clients with User-Agent strings mimicking Internet Explorer 10 on Windows 7, an older but still occasionally legitimate browser and operating system combination that would not immediately trigger security alerts. This User-Agent spoofing technique aimed to make malicious authentication attempts indistinguishable from legitimate legacy system access, exploiting the reality that many organizations maintain support for older browser versions to accommodate users on outdated systems.
The infrastructure supporting this reconnaissance phase demonstrated clear links to previous Iran-aligned operations. Network traffic analysis traced authentication attempts back to AS35758, an autonomous system operated by Rachamim Aviel Twito, which has been previously identified in intelligence reporting as supporting Iran-nexus cyber operations across the Middle East. This infrastructure overlap provides moderate-confidence attribution linking the current password spray campaign to Iranian state interests and aligned threat actors.
Once valid credentials were successfully identified through the password spray methodology, the campaign underwent a deliberate infrastructure transition that prioritized operational effectiveness over anonymization. The threat actor abandoned Tor exit nodes in favor of commercial VPN services, specifically Windscribe and NordVPN, selecting VPN servers with IP addresses geolocated within Israel. This geographic positioning was tactically calculated to bypass multiple layers of defensive controls implemented by target organizations.
Many organizations implement geo-fencing controls through conditional access policies that restrict authentication to expected geographic regions based on IP geolocation. For Israeli organizations, authentication attempts originating from Israeli IP addresses appear legitimate and expected, while authentication from Iranian, foreign, or anomalous geographic locations would trigger alerts or outright blocks. By routing authenticated sessions through Israeli-geolocated VPN infrastructure, the attackers ensured their activity appeared consistent with legitimate remote access from within expected geographic boundaries.
This infrastructure transition also provided practical operational benefits beyond security control bypass. Commercial VPN services offer more stable, higher-bandwidth connections compared to Tor exit nodes, enabling efficient data exfiltration of email content, document downloads, and sustained access to cloud-hosted assets. The shift from anonymization-focused infrastructure during reconnaissance to performance-optimized infrastructure during exploitation reflects sophisticated operational planning and understanding of enterprise security architectures.
Following successful authentication with compromised credentials, the threat actor focused exclusively on intelligence collection activities rather than deploying malware, establishing persistence through backdoors, or conducting disruptive operations. This approach reflects evolving tradecraft in state-sponsored cyber operations where access to legitimate cloud environments provides sufficient intelligence value without requiring risky malware deployment that could trigger endpoint detection and response systems.
The primary collection targets were email communications stored within Microsoft 365 Exchange Online, providing access to organizational communications, strategic planning discussions, operational coordination, and potentially classified or sensitive information depending on the target organization’s security classification handling procedures. For government and municipal targets, email access could reveal information about emergency response planning, infrastructure status, civil defense preparations, and coordination with national security entities.
Beyond email, compromised Microsoft 365 accounts potentially provided access to SharePoint document libraries, OneDrive file storage, Teams chat communications, OneNote notebooks, and other cloud-hosted collaboration platforms integrated within the Microsoft 365 ecosystem. This comprehensive access to organizational knowledge repositories enabled extensive intelligence collection with minimal risk of detection compared to traditional endpoint compromise and malware deployment methodologies.
Israeli municipalities represented the primary targeting focus of this password spray campaign, with over 300 Israeli entities impacted across the three attack waves. The geographic distribution of targeted municipalities revealed significant correlation with locations that had been impacted by Iranian missile strikes during March 2026, suggesting potential strategic coordination between cyber intelligence operations and kinetic military actions.
This correlation between cyber targeting and kinetic targeting suggests several potential operational objectives. The password spray campaign may have supported Bombing Damage Assessment operations by providing access to municipal communications regarding infrastructure damage, casualty reports, emergency response activities, and recovery timelines. Intelligence collection from municipal systems could also inform subsequent targeting decisions by revealing critical infrastructure dependencies, emergency response capabilities, civil defense preparations, and population movement patterns.
The campaign also targeted more than 25 organizations in the United Arab Emirates, reflecting broader Iranian intelligence collection priorities across the Gulf region. UAE targets spanned government entities, critical infrastructure sectors, and commercial organizations, consistent with Iranian strategic intelligence requirements related to regional diplomatic activities, economic relationships, and security cooperation between Gulf states and Israel.
The password spray campaign has been attributed with moderate confidence to an Iran-nexus threat actor based on multiple converging indicators. The tactical tradecraft observed in the campaign, particularly the combination of Tor-based reconnaissance transitioning to VPN-based geographic spoofing for authenticated access, closely mirrors operational patterns documented in previous Iran-aligned cyber operations. This specific technique combination has been observed in campaigns attributed to Gray Sandstorm and related Iran-nexus groups operating in support of Iranian intelligence collection priorities.
The infrastructure analysis provides additional attribution support, with authentication attempts traced to AS35758, a network previously associated with Iran-aligned cyber operations across the Middle East. The strategic targeting focus on Israeli municipalities and UAE organizations aligns with known Iranian intelligence collection priorities, particularly during periods of heightened regional conflict. The apparent coordination between this cyber campaign and concurrent Iranian missile strikes against Israel suggests state-level operational planning and integration of cyber capabilities with conventional military operations.
Security operations teams must establish continuous monitoring of Microsoft 365 sign-in logs specifically configured to detect password spray attack patterns. The characteristic signature of password spray activity includes multiple authentication failures distributed across numerous distinct user accounts originating from the same source IP address or IP address range within compressed timeframes. Organizations should configure Security Information and Event Management systems or Microsoft Sentinel analytics rules to generate high-priority alerts when authentication logs reveal patterns such as ten or more distinct user accounts experiencing failed authentication attempts from a single IP address within a one-hour window, or authentication attempts against unusual volumes of accounts that rarely or never authenticate, suggesting attacker enumeration of organizational email addresses.
Organizations must implement conditional access policies that explicitly block authentication attempts originating from known Tor exit nodes and other high-risk anonymization networks observed in this campaign’s reconnaissance infrastructure. Microsoft Entra ID conditional access policies can leverage named locations configured with Tor exit node IP address ranges, which should be updated regularly from public Tor exit node lists maintained by the Tor Project. These policies should block or require additional authentication factors for any sign-in attempts originating from anonymization networks, effectively preventing the reconnaissance phase methodology observed in this campaign.
Security teams should configure comprehensive geo-fencing controls through Microsoft Entra ID conditional access policies that restrict authentication to approved geographic locations relevant to the organization’s operational footprint. For organizations with well-defined geographic boundaries, policies should explicitly allow authentication only from countries where the organization maintains offices, operations, or authorized remote workers, while blocking authentication attempts from all other locations. This approach directly counters the campaign’s VPN-based geographic spoofing methodology by establishing baseline expectations for legitimate authentication geography.
Organizations must implement and enforce strong password policies that explicitly prohibit commonly used passwords vulnerable to password spray attacks. Microsoft Entra ID Password Protection provides capabilities to ban custom password lists and detect commonly compromised credentials, preventing users from setting passwords that appear in known breach databases. Security teams should conduct periodic password audits using tools that identify accounts with weak credentials, previously breached passwords available in public breach compilations, or passwords that follow predictable patterns exploitable in password spray campaigns.
Organizations must ensure that Microsoft 365 Unified Audit Logging is fully enabled across all services and retained for periods sufficient to support post-compromise investigation and forensic analysis. Comprehensive audit logging provides the evidentiary foundation necessary to trace attacker actions following any suspected successful authentication, enabling security teams to identify which emails were accessed, what files were downloaded, which SharePoint sites were visited, and what administrative actions were performed using compromised credentials.
Organizations must deploy multi-factor authentication across all Microsoft 365 user accounts to ensure that compromised passwords alone are insufficient for successful authentication. MFA implementation should prioritize phishing-resistant authentication methods including FIDO2 security keys, Windows Hello for Business, or certificate-based authentication for privileged and administrative roles. Even basic MFA implementations using mobile authenticator applications or SMS-based one-time passwords provide substantial protection against password spray campaigns by requiring attackers to compromise both passwords and secondary authentication factors.
T1589: Gather Victim Identity Information
T1078: Valid Accounts
T1110: Brute Force
T1090: Proxy
T1114: Email Collection
T1573: Encrypted Channel
IPv4 Addresses:
Get through updates and upcoming events, and more directly in your inbox