Ethical Hacking News
Iranian threat actors have conducted coordinated password-spraying attacks against numerous organizations, primarily targeting municipal entities in Israel and the United Arab Emirates. The attackers exploited Microsoft 365 accounts using multiple source IP addresses, resulting in over 300 compromised organizations. This development highlights the growing threat posed by Iranian cyber actors and underscores the need for organizations to take proactive measures to protect themselves against such threats.
The Iranian threat actors have conducted coordinated password-spraying attacks against numerous organizations, primarily targeting municipal entities.Over 300 organizations across Israel and more than 25 in the UAE have been compromised.The attackers exploited Microsoft 365 accounts using multiple source IP addresses.The attacks were part of three distinct waves, with the attackers utilizing various tools and techniques.The use of commercial VPN nodes hosted at AS35758 suggests a coordinated effort by threat actors to gain access to sensitive information.The campaign was likely intended to disrupt municipal operations in response to recent military actions.The password spraying attacks pose a significant threat to organizations relying on Microsoft 365 accounts, highlighting the need for proactive security measures.
The cybersecurity landscape has recently been made aware of a concerning development in which Iranian threat actors have resorted to conducting coordinated password-spraying attacks against numerous organizations, primarily targeting municipal entities. According to Check Point Research, an Israeli-based cybersecurity firm, the attackers have exploited Microsoft 365 accounts using multiple source IP addresses, resulting in over 300 compromised organizations across Israel and more than 25 in the United Arab Emirates.
This is not the first time that Iranian threat actors have been implicated in such activities, as they are known to utilize various tactics, including password spraying, to gain initial access to victims' Microsoft 365 environments and steal sensitive information. The attacks in question occurred in three distinct waves - March 3rd, March 13th, and March 23rd - with the attackers utilizing a variety of tools and techniques to carry out their assault.
The attackers employed multiple source IP addresses to target numerous Microsoft 365 accounts, resulting in over 300 compromised organizations across Israel and more than 25 in the United Arab Emirates. The attackers also used commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), infrastructure that has appeared in recent suspected Iran-linked cyber operations in the Middle East.
The attacks were notable for their sophistication, as they involved a coordinated effort by threat actors to exploit vulnerabilities in Microsoft 365 accounts. This suggests that the attackers may have been seeking to gain access to sensitive information, such as personal email communications and other confidential data.
Furthermore, researchers noted that some of the organizations targeted with password spraying correlate with cities hit by Iranian missile strikes. This observation suggests that the campaign was likely intended to support kinetic operations and Bombing Damage Assessment (BDA) efforts, implying a deliberate attempt by the attackers to disrupt the operations of municipal entities in response to recent military actions.
The use of password spraying attacks is a common tactic employed by threat actors to gain initial access to victims' systems. This involves blasting hundreds of organizations' Microsoft accounts with weak passwords, with the attackers performing these scans using frequently changed Tor exit nodes with a User-Agent that masquerades as Internet Explorer 10 (IE10). Once the attackers find credentials that work, they log in from multiple VPN IP addresses geolocated in Israel to evade restrictions based on geography.
The attackers then use the valid credentials to access personal email communications and other sensitive data. This suggests that the attackers are seeking to exploit the sensitive information contained within these systems for their own malicious purposes.
In addition to the password spraying attacks, there have been reports of another Iranian-linked group hacking FBI Director Kash Patel's personal email account and claiming to have leaked his resume and photos, warning "This is just our beginning." This incident highlights the growing threat posed by Iranian cyber actors, who are increasingly using sophisticated tactics to disrupt the operations of organizations around the world.
The development of password spraying attacks as a tactic has significant implications for organizations that rely on Microsoft 365 accounts. It is essential for these organizations to take proactive measures to protect themselves against such threats, including implementing robust security protocols and conducting regular vulnerability assessments.
In conclusion, the recent password-spraying attacks conducted by Iranian threat actors pose a significant threat to organizations that rely on Microsoft 365 accounts. The use of sophisticated tactics, including password spraying, highlights the growing sophistication of cyber threats and underscores the need for organizations to take proactive measures to protect themselves against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Iran-Targets-Microsoft-365-Accounts-with-Sophisticated-Password-Spraying-Attacks-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/03/31/iran_password_spraying_m365/
https://www.theregister.com/2026/03/31/iran_password_spraying_m365/
https://blog.checkpoint.com/research/iran-nexus-password-spray-campaign-targeting-cloud-environments-with-a-focus-on-the-middle-east/
https://www.fbi.gov/wanted/cyber/apt-41-group
https://attack.mitre.org/groups/G0096/
Published: Tue Mar 31 15:25:49 2026 by llama3.2 3B Q4_K_M
