Iran-Nexus Actors Launch Coordinated Microsoft 365 Password Attacks
Security researchers at Check Point documented a sophisticated password-spraying campaign targeting Microsoft 365 environments across Israel and the United Arab Emirates throughout March 2026. The attacks occurred in three distinct waves on March 3, March 13, and March 23, with threat intelligence analysts attributing the activity to Iran-linked threat actors operating amid escalating regional tensions in the Middle East.
Password spraying represents a particularly insidious attack method where threat actors attempt to gain unauthorized access by trying commonly used passwords against multiple user accounts. Unlike traditional brute force attacks that target a single account with many password attempts, password spraying distributes login attempts across numerous accounts to avoid triggering account lockout mechanisms that organizations typically deploy as security measures.
The timing of these attacks coincides with heightened geopolitical tensions in the region, suggesting the campaign may be part of broader state-sponsored cyber operations. Iran has historically leveraged cyber capabilities as part of its asymmetric warfare strategy, targeting critical infrastructure and government entities in adversarial nations. The choice to target Microsoft 365 environments reflects the widespread adoption of cloud-based productivity suites across government agencies and private sector organizations in both Israel and the UAE.
Check Point's threat intelligence team identified the campaign through their monitoring of suspicious authentication patterns and anomalous login behaviors across their customer base. The researchers noted that the attacks demonstrated a high degree of coordination and planning, with each wave targeting different organizational sectors and employing slightly modified tactics to evade detection systems.
Microsoft 365 environments present attractive targets for nation-state actors due to their central role in organizational communications and document storage. Successful compromise of these environments can provide attackers with access to sensitive communications, strategic planning documents, and the ability to conduct lateral movement within target networks. The cloud-based nature of these platforms also complicates traditional perimeter-based security approaches, requiring organizations to implement robust identity and access management controls.
Israeli and UAE Organizations Face Widespread Targeting
The password-spraying campaign primarily affected organizations across multiple sectors in Israel and the United Arab Emirates, with particular focus on government agencies, defense contractors, and critical infrastructure providers. Security analysts observed that the threat actors demonstrated sophisticated target selection, focusing on high-value entities that maintain significant Microsoft 365 deployments for their daily operations.
Organizations running Microsoft 365 Business, Enterprise, and Government Cloud Community (GCC) environments faced the highest risk during the documented attack waves. The threat actors specifically targeted accounts with administrative privileges and service accounts that often maintain elevated access across cloud environments. Small to medium-sized organizations proved particularly vulnerable due to limited security monitoring capabilities and less robust multi-factor authentication implementations.
The geographic targeting pattern suggests the campaign was designed to gather intelligence on regional security postures and government communications. Israeli technology companies, defense contractors, and government ministries represented primary targets, while UAE-based financial institutions and energy sector organizations also experienced significant targeting attempts. The threat actors appeared to maintain detailed target lists, suggesting extensive reconnaissance activities preceded the actual password-spraying attempts.
Security researchers estimate that hundreds of organizations across both countries received targeting attempts, with successful compromises affecting dozens of entities. The actual scope of successful breaches remains under investigation, as many organizations may not have detected the intrusion attempts due to the subtle nature of password-spraying attacks and the distributed timing of login attempts designed to blend with normal user behavior patterns.
Multi-Factor Authentication and Enhanced Monitoring Provide Defense
Organizations can implement several immediate defensive measures to protect against ongoing password-spraying campaigns targeting Microsoft 365 environments. The most effective protection involves enabling multi-factor authentication (MFA) across all user accounts, particularly those with administrative privileges. Microsoft's Security Update Guide provides comprehensive guidance on implementing conditional access policies that require additional authentication factors for suspicious login attempts.
Security teams should immediately review their Microsoft 365 audit logs for suspicious authentication patterns, including multiple failed login attempts from unfamiliar IP addresses and successful logins from geographically dispersed locations within short timeframes. The Azure Active Directory sign-in logs contain detailed information about authentication attempts, including source IP addresses, user agents, and authentication methods used. Organizations should configure automated alerts for failed authentication attempts exceeding normal baseline patterns.
Implementing robust password policies represents another critical defensive measure. Organizations should enforce complex password requirements and prohibit the use of commonly compromised passwords. Microsoft's Azure AD Password Protection service can automatically block known weak passwords and organization-specific terms that attackers might target. Regular password rotation policies, while controversial in some security circles, can limit the window of opportunity for compromised credentials.
Network-level protections should include implementing IP address allowlisting for administrative accounts and configuring conditional access policies that block authentication attempts from high-risk countries or known malicious IP ranges. The CISA Known Exploited Vulnerabilities catalog provides additional context on threat actor tactics and recommended defensive measures for cloud environment protection.
Organizations should also consider implementing privileged access management solutions that provide just-in-time access to administrative functions and maintain detailed audit trails of all privileged operations. Regular security awareness training focusing on password security and social engineering tactics can help reduce the likelihood of successful credential compromise through complementary attack vectors.
