In March 2026, a threat actor aligned with Iran has conducted password-spraying attacks on Microsoft 365 accounts located in both Israel and the United Arab Emirates (UAE) in three separate waves: March 3, March 13, and March 23, 2026.
The majority of these attempts were aimed at businesses or public service organizations around Israel, with less than 25% being aimed at businesses, governmental units, or municipalities located in either country: UAE or Israel. However, there were some efforts made against companies in the United Kingdom (UK) and Europe as well as side efforts at attacking companies in the United States (US) and Saudi Arabia.
To accomplish this, the threat actor utilized password-spraying tactics by using only a small number of commonly used passwords in an attempt to access multiple user accounts; therefore, reducing the likelihood that the account being accessed would be locked out due to too many failed attempts. This method has previously been used by other Iranian hacking groups, such as Peach Sandstorm and Gray Sandstorm (previously known as DEV-0343).
There are also numerous similarities between the operational methods utilized by the hacker in question and previous Iranian attacks. For example, the use of Tor exit nodes, the use of a VPN provider which has an Autonomous System Number (AS) of AS35758, both of which have been associated with other recent Iran-themed attacks in the same area.
Attack Phases
Quick Security Checklist
- Scan your system or website
- Update all dependencies
- Change passwords
- Enable 2FA
The operation progressed in three clear stages:
1. Aggressive scanning and password spraying from Tor exit nodes.
2. Successful login attempts followed by further reconnaissance.
3. Application of data exfiltration by extracting content from the mailbox.
With moderate confidence, the researchers are assessing the activities tied to the Iranian conspiracy, noting the overlaps in timing, targets, and infrastructure.
Proliferation of Parallel Ransomware
This disclosure coincided with renewed activity from the Iranian ransomware group, Pay2Key (associated with Fox Kitten/Lemon Sandstorm). In late February 2026, the group launched an upgraded variant with newer evasion techniques aimed at a U.S. healthcare institution.
Of note was that this was the first known attack that did not utilize data exfiltration-a departure from the traditional double-extortion model employed by this particular group. Instead, the attack used legitimate remote access applications such as TeamViewer to gain entry into systems for credential harvesting and subsequently disabled Microsoft Defender and deployed ransomware while covering tracks by deleting logs at the end of execution.
Pay2Key continues to evolve and recently has offered its affiliates an 80% cut of ransom payments when they target Iran's perceived adversaries. The Linux variant was also observed to be in active use, together with strong anti-analysis features and capability to survive system reboots.
Broader Context
Iranian cyber operations combine espionage, disruption, and financial motives, reflecting trends related to domestic issues and regional geopolitical conflicts surrounding continued operations in Iraq and Yemen. These conflicts impact cyber attacks in the region, as seen in a recent series of attacks targeting Israel and UAE governments through various means, such as password-spraying (e.g., through shared participation with the Tor browser) and through Pay2Key (a key logger).
Consequently, these attack patterns will become more frequent as Iranian-backed proxies increase their interest in Iranian-related activities regarding conflict in the Middle East.
Recommendations for Organizations
1. Monitor unusual login attempts from VPN nodes or the Tor browser when accessing Microsoft 365.
2. Implement conditional access enforcement policies that restrict access to certain geographic locations.
3. Implement multi-factor authentication (MFA) that cannot be easily phished for all users.
4. Enable full auditing capability and monitoring of users for post-compromise activity.
5. Review and test organization’s incident response plans for ransomware and credential type attacks regularly.
Organizations with relationships to the Middle East must view password-spraying and ransomware as ever-evolving threats in this current geopolitical setting, and require strong identity controls to help detect and deter these activities.
Source: The Hacker News
