Iran-Linked Password-Spraying Targets 300+ Israeli Organizations

The Iranian-nexus threat actor activity targeting Microsoft 365 organizations in Israel and the United Arab Emirates represents a coordinated effort to harvest credentials during a period of heightened regional tension. According to The Hacker News, the campaign consisted of three distinct attack waves throughout March 2026. Security researchers identified that these waves occurred on March 3, March 13, and March 23, targeting approximately 300 organizations with high precision.

The primary TTP used in this operation is password spraying. Unlike traditional brute-force attacks that target a single account with many passwords, password spraying involves attempting a small number of commonly used passwords against a vast pool of accounts. This technique is specifically designed to bypass account lockout policies and evade detection by SIEM and SOC teams that might only be monitoring for high-frequency failures on a per-user basis. By spreading the attempts across hundreds of organizations and thousands of users, the attackers significantly lower the noise floor of their activity.

Technical Analysis: Password Spraying in Azure AD

The attackers focused on cloud-based identity providers, prioritizing research into how to detect password spraying in Azure AD. By leveraging legitimate Microsoft 365 authentication endpoints, the APT group could blend their malicious traffic with normal user sign-in attempts. The campaign utilized a rotation of IP addresses and infrastructure to prevent static blocking by perimeter defenses.

The timing of the attacks—spaced exactly ten days apart—suggests a calculated, automated approach. This cadence allows the threat actor to rotate infrastructure and potentially refine their target lists based on the results of previous waves. The focus on Israeli and UAE entities highlights a clear geopolitical motive, likely aimed at long-term intelligence gathering or facilitating future Lateral Movement within the compromised networks after initial access is secured.

Strategic Geographic Targeting and Impact

The campaign significantly impacts the technology, finance, and government sectors within Israel. The inclusion of the UAE as a secondary target suggests a broader regional interest for the Iranian-linked cluster. While no specific CVE was exploited in the initial access phase, the reliance on weak credentials remains a persistent gap in cloud security. If successful, these attacks lead to account takeover, sensitive data exfiltration, and the potential for Phishing campaigns launched from legitimate internal accounts.

Mitigating Iranian Threat Actor M365 Attacks

Defenders must prioritize the implementation of Zero Trust principles to combat these credential-based threats. Since the primary IoC in these scenarios involves anomalous login patterns rather than specific malware signatures, detection relies heavily on behavioral analysis of authentication logs.

To effectively address these risks, organizations should implement the following security controls:

• Enforce Phishing-Resistant MFA: Implement multi-factor authentication (MFA) across all user accounts, preferably using FIDO2-based hardware keys to prevent session hijacking.
• Conditional Access Policies: Restrict logins from unexpected geographic locations or untrusted IP ranges that do not align with company operations.
• Log Monitoring: Review Azure AD sign-in logs for “Failure Reason: Incorrect Password” events distributed across a high volume of unique usernames. Understanding how to detect password spraying in Azure AD involves looking for these distributed, low-and-slow patterns.
• Disable Legacy Authentication: Protocols like POP3 or IMAP do not support modern MFA and are frequently used by attackers to bypass security prompts.

Ongoing monitoring and rapid response to credential anomalies are necessary to defend against this persistent threat actor cluster.