A newly uncovered cyber campaign has raised alarms across the Middle East, as Iran-linked threat actors actively target Microsoft 365 tenants using password-spraying techniques. According to Check Point Research, the attackers are systematically attempting to breach cloud environments belonging to government bodies, energy firms, and private organizations.
Notably, Israel and the United Arab Emirates (UAE) have emerged as the primary targets. In particular, Israel’s municipal sector has experienced a surge in attack attempts, likely influenced by ongoing regional tensions. As a result, organizations operating in these regions face heightened cybersecurity risks.
How the Attack Unfolds
The campaign follows a well-defined three-stage attack cycle. Initially, during the reconnaissance phase, attackers conduct large-scale password-spraying attempts across hundreds of organizations. Instead of targeting a single account repeatedly, they try common passwords across multiple accounts, increasing their chances of success while avoiding detection.
To further evade security systems, attackers route their traffic through Tor exit nodes. This approach allows them to mask their origin and continuously rotate IP addresses. In addition, they disguise their activity by mimicking an outdated browser—specifically Internet Explorer 10—making their login attempts appear less suspicious.
Once the attackers successfully identify valid login credentials, they transition into the infiltration phase. At this stage, they bypass geographic restrictions such as geo-fencing by leveraging commercial VPN services like Windscribe and NordVPN. By selecting VPN servers located within Israel, they create the illusion that login attempts originate from legitimate local users.
Finally, during the exfiltration phase, attackers gain full access to compromised Microsoft 365 accounts. Consequently, they can read confidential emails, extract sensitive corporate data, and monitor internal communications without triggering immediate detection. This silent access significantly increases the risk of long-term espionage and data theft.
Attribution and Threat Insights
Check Point Research has attributed this campaign to Iranian actors with moderate confidence. The chosen targets align closely with Iran’s strategic interests, particularly in sectors such as government, aviation, energy, and maritime infrastructure.
Furthermore, researchers noted similarities between this campaign and the tactics used by Gray Sandstorm, a known Iranian cyber-espionage group. The consistent use of Tor networks, red-team tools, and specific VPN nodes strengthens this connection.
Recommended Security Measures
To counter these attacks, organizations must adopt a proactive security approach. First, they should continuously monitor sign-in logs to detect unusual login patterns, such as repeated failed attempts across multiple accounts.
Additionally, implementing conditional access policies can help block high-risk networks, including Tor exit nodes and unauthorized geographic locations. Enforcing multi-factor authentication (MFA) across all accounts—especially administrative ones—is equally critical.
Moreover, enabling detailed audit logs ensures that security teams can investigate suspicious activities effectively. By improving credential hygiene and strengthening monitoring practices, organizations can significantly reduce their exposure to password-spraying attacks.
Recommended Cyber Technology News:
- Apache Traffic Server Flaw Enables DoS Attacks Risk
- Metazoa Launches AI-Powered Intelligent Assistant for Salesforce Snapshot Platform
- NeuBird AI Launches Autonomous Ops Agent to Prevent and Resolve IT Incidents Faster
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
