Cyber-crime Iran targets M365 accounts with password-spraying attacks Researchers say some targets correlate with cities hit by Iranian missile strikes Jessica Lyons Tue 31 Mar 2026 // 19:09 UTC Suspected Iran-linked threat actors are conducting password-spraying attacks against hundreds of organizations, primarily Middle Eastern municipalities, in campaigns that security researchers believe may have been aimed at supporting bomb-damage assessment following missile strikes. Tel Aviv-based Check Point Research on Tuesday said that the attackers used multiple source IP addresses to target numerous Microsoft 365 accounts, affecting more than 300 organizations in Israel and more than 25 in the United Arab Emirates. While most of the password spraying hit these two Middle Eastern countries, the researchers tracked similar activity from the same attacker against a "limited number" of targets in the US, Europe, and Saudi Arabia. The attacks happened in three waves - March 3, March 13, and March 23 - and Iran-linked groups, including the Islamic Revolutionary Guard Corps' Peach Sandstorm and Gray Sandstorm , are known to use this method to gain initial access to victims' Microsoft 365 environments and steal sensitive information. While Israel's municipal sector bore the brunt of the password-spraying attacks, other industries, including technology (63 attempts), transportation and logistics (32), healthcare (28), and manufacturing (28), were also targeted. Municipalities play a major role in responding to missile-related physical damage, and Check Point also noted some correlation between the orgs targeted with password spraying and cities targeted by missile attacks . "This suggests the campaign was likely intended to support kinetic operations and Bombing Damage Assessment (BDA) efforts," the researchers wrote. The first stage in the attack - password spraying - involves blasting hundreds of organizations' Microsoft accounts with weak passwords. The attackers perform these scans using frequently changed Tor exit nodes with a User-Agent that masquerades as Internet Explorer 10 (IE10): Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0). Once the attackers find credentials that work, they log in from multiple VPN IP addresses (Windscribe IP range 185.191.204.X or NordVPN IP range 169.150.227.X) geolocated in Israel to evade restrictions based on geography. They then use the valid credentials to access personal email communications and other sensitive data. Iran's cyberattack against med tech firm is 'just the beginning' Iran-linked cyber crew says they hit US med-tech firm 'Hundreds' of Iranian hacking attempts have hit surveillance cameras since the missile strikes The drone swarm is coming, and NATO air defenses are too expensive to cope "Analysis of M365 logs suggest similarities to Gray Sandstorm, including the use of red-team tools to conduct these attacks via Tor exit nodes," the threat hunters wrote, adding that the attacker also used commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), infrastructure that has appeared in recent suspected Iran-linked cyber operations in the Middle East. The password spraying attacks come as another Iran-linked group hacked FBI Director Kash Patel's personal email account and claimed to have leaked his resume and photos, warning, "This is just our beginning." Handala Hack, a crew behind the destructive Stryker cyberattack with ties to Iran's intelligence agency , posted Patel's data on their website on Friday. The FBI and friends briefly disrupted the group's websites a week earlier, but they spun up new domains within days. ® Share More about Cybercrime Iran Microsoft 365 More like these × More about Cybercrime Iran Microsoft 365 Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security Microsoft Teams NCSAM NCSC Palo Alto Networks Password Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust Broader topics EMEA Microsoft Office 365 Software More about Share POST A COMMENT More about Cybercrime Iran Microsoft 365 More like these × More about Cybercrime Iran Microsoft 365 Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security Microsoft Teams NCSAM NCSC Palo Alto Networks Password Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust Broader topics EMEA Microsoft Office 365 Software TIP US OFF Send us news