A threat actor believed to be linked to Iran is suspected of carrying out a large-scale password-spraying campaign against Microsoft 365 environments, primarily targeting organizations in Israel and the United Arab Emirates, according to new findings from Check Point.
The ongoing campaign came in three coordinated waves on March 3, March 13, and March 23, 2026. Researchers report that more than 300 organizations in Israel and over 25 in the UAE have been affected. Additional, smaller-scale targeting was also observed in Europe, the United States, the United Kingdom, and Saudi Arabia.
The attacks focused on a wide range of sectors, including government agencies, municipalities, technology firms, transportation networks, energy providers, and private companies.
Password spraying (a type of brute-force attack, where an attacker tries one common password across many accounts to gain access) has previously been associated with Iranian-linked groups such as Peach Sandstorm and Gray Sandstorm.
According to Check Point, the campaign involved three steps: initial reconnaissance and password spraying conducted via Tor exit nodes, followed by login attempts and, ultimately, the exfiltration of sensitive data such as email contents. The attackers also leveraged commercial VPN services linked to infrastructure previously associated with Iran-linked cyber operations.
To mitigate the threat, organization are recommended to detect password spray anomalies, restrict access using geo-fencing and TOR IP block controls, enforce MFA tenant-wide and strengthen credential hygiene, and enable audit logs for post-compromise investigation.