Check Point Research identifies password-spraying attacks against 300+ organizations, primarily in Israel and UAE, potentially supporting Iran's missile strike operations.
Iranian-linked threat actors have launched a large-scale password-spraying campaign targeting Microsoft 365 accounts across hundreds of organizations, with security researchers suggesting the attacks may be designed to support bomb-damage assessment operations following recent missile strikes in the Middle East.
Campaign targets Middle Eastern municipalities and critical infrastructure
According to Tel Aviv-based Check Point Research, the attackers used multiple source IP addresses to conduct password-spraying attacks against more than 300 organizations in Israel and over 25 in the United Arab Emirates. The campaign unfolded in three distinct waves on March 3, March 13, and March 23, 2026.
While the majority of attacks focused on Israeli and Emirati targets, researchers also observed limited activity against organizations in the United States, Europe, and Saudi Arabia. The attack pattern closely resembles techniques historically associated with Iran-linked groups, particularly the Islamic Revolutionary Guard Corps' Peach Sandstorm and Gray Sandstorm operations.
Beyond municipal targets, the campaign extended to critical sectors including technology (63 attempts), transportation and logistics (32), healthcare (28), and manufacturing (28). This broad targeting pattern suggests a comprehensive intelligence-gathering effort rather than a narrowly focused attack.
Technical methodology reveals sophisticated evasion techniques
The attackers employed several advanced techniques to evade detection and maximize their chances of success. The password-spraying phase involved systematically testing weak passwords across hundreds of Microsoft 365 accounts using frequently changed Tor exit nodes. To mask their activities, the threat actors configured their tools to present as Internet Explorer 10 with the following User-Agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0).
Once valid credentials were obtained, the attackers logged in from multiple VPN IP addresses within the Windscribe range (185.191.204.X) or NordVPN range (169.150.227.X), specifically selecting geolocated Israeli IP addresses to circumvent geographic restrictions and blend in with legitimate traffic patterns.
Correlation with missile strike operations raises concerns
The most concerning aspect of this campaign is the apparent correlation between targeted organizations and cities that experienced Iranian missile strikes. Check Point researchers noted that municipalities play a crucial role in responding to missile-related physical damage, and the overlap between attack targets and strike locations suggests a potential operational link.
"This suggests the campaign was likely intended to support kinetic operations and Bombing Damage Assessment (BDA) efforts," the researchers wrote in their analysis. BDA operations involve gathering intelligence on the effectiveness of military strikes, including damage assessment, casualty counts, and identification of remaining targets.
Infrastructure and attribution analysis
The attack infrastructure shows clear similarities to Gray Sandstorm operations, including the use of red-team tools executed via Tor exit nodes. The attackers also leveraged commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), infrastructure that has appeared in recent suspected Iran-linked cyber operations across the Middle East.
These technical indicators, combined with the targeting patterns and timing relative to regional military activities, provide strong circumstantial evidence linking the campaign to Iranian state-sponsored actors. The use of established attack frameworks and infrastructure suggests a well-resourced and experienced threat actor.
Broader context of Iranian cyber operations
This campaign represents part of a larger pattern of Iranian cyber activity in the region. Recent months have seen "hundreds" of Iranian hacking attempts targeting surveillance cameras following missile strikes, as well as destructive attacks against critical infrastructure.
In a related development, an Iran-linked group claimed responsibility for hacking FBI Director Kash Patel's personal email account, leaking his resume and photos with the warning "This is just our beginning." The Handala Hack group, known for ties to Iran's intelligence agency and the destructive Stryker cyberattack, demonstrated the capability and willingness to target high-profile Western officials.
The FBI and allied agencies briefly disrupted Handala Hack's websites, but the group quickly reestablished operations by spinning up new domains within days, highlighting the resilience and adaptability of these threat actors.
Implications for cybersecurity and international relations
This campaign underscores the evolving nature of cyber warfare, where digital operations increasingly support and complement kinetic military activities. The use of password spraying against Microsoft 365 accounts demonstrates how relatively simple techniques can be weaponized for strategic intelligence gathering when applied at scale.
For organizations in the Middle East and beyond, the attack highlights the critical importance of strong password policies, multi-factor authentication, and continuous monitoring of authentication logs. The fact that password spraying remains effective against hundreds of organizations suggests persistent gaps in basic cybersecurity hygiene.
The timing and targeting of these attacks also raise questions about the integration of cyber and conventional military operations, potentially signaling a new phase in Iran's approach to regional conflicts where cyber capabilities are used to enhance the effectiveness of missile strikes and other kinetic operations.
As tensions in the Middle East continue to escalate, organizations across all sectors must remain vigilant against increasingly sophisticated and strategically motivated cyber threats. The convergence of cyber operations with traditional military objectives represents a significant evolution in modern warfare, with potentially far-reaching consequences for international security and stability.
Comments
Please log in or register to join the discussion