Iran targets M365 accounts with password-spraying attacks • The Register

Staff Editor 2026-03-31
Iran targets M365 accounts with password-spraying attacks • The Register

Iran targets M365 accounts with password-spraying attacks • The Register

https://www.theregister.com/2026/03/31/iran_password_spraying_m365/?tdu003dkeepreading

Publish Date: 2026-03-31 15:09:00

Source Domain: www.theregister.com

Suspected Iran-linked threat actors are conducting password-spraying attacks against hundreds of organizations, primarily Middle Eastern municipalities, in campaigns that security researchers believe may have been aimed at supporting bomb-damage assessment following missile strikes.

Tel Aviv-based Check Point Research on Tuesday said that the attackers used multiple source IP addresses to target numerous Microsoft 365 accounts, affecting more than 300 organizations in Israel and more than 25 in the United Arab Emirates. While most of the password spraying hit these two Middle Eastern countries, the researchers tracked similar activity from the same attacker against a “limited number” of targets in the US, Europe, and Saudi Arabia.

The attacks happened in three waves – March 3, March 13, and March 23 – and Iran-linked groups, including the Islamic Revolutionary Guard Corps’ Peach Sandstorm and Gray Sandstorm, are known to use this method to gain initial access to victims’ Microsoft 365 environments and steal sensitive information.

While Israel’s municipal sector bore the brunt of the password-spraying attacks, other industries, including technology (63 attempts), transportation and logistics (32), healthcare (28), and manufacturing (28), were also targeted.

Municipalities play a major role in responding to missile-related physical damage, and Check Point also noted some correlation between the orgs targeted with password spraying and cities targeted by missile attacks. “This suggests the campaign was likely intended to support kinetic operations and Bombing Damage Assessment (BDA) efforts,” the researchers wrote.

The first stage in the attack – password spraying – involves blasting hundreds of organizations’ Microsoft accounts with weak passwords. The attackers perform these scans using frequently changed Tor exit nodes with a User-Agent that…

Source

More Stories

Mountain Rides resolves cybersecurity threat | Transportation

Mountain Rides resolves cybersecurity threat | Transportation

Staff Editor 2026-06-05
NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

Staff Editor 2026-06-05
Ashley Devoto Named Air Force CIO

Ashley Devoto Named Air Force CIO

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy