A sophisticated cyber campaign linked to Iranian threat actors has targeted hundreds of Microsoft 365 environments across the Middle East, leveraging a technique known as password spraying to infiltrate sensitive cloud infrastructures. The operation, which has primarily focused on Israel and the United Arab Emirates, underscores a growing trend of state-nexus actors utilizing cloud-native vulnerabilities to conduct espionage and data exfiltration during periods of heightened regional conflict.
According to research from Check Point, the Iran-linked password-spraying campaign targets 300+ Israeli Microsoft 365 organizations, as well as more than 25 organizations in the U.A.E. While the Middle East remains the primary theater of operations, the cybersecurity firm noted that the actor also targeted a limited number of entities in the United States, the United Kingdom, Europe and Saudi Arabia.
The campaign is characterized by its systematic approach, unfolding in three distinct waves on March 3, March 13, and March 23, 2026. These attacks specifically targeted cloud environments belonging to government entities, municipalities, and private-sector companies within the technology, transportation, and energy sectors.
The Mechanics of the Password-Spraying Attack
Unlike traditional brute-force attacks that attempt thousands of passwords against a single account, password spraying involves attempting a few common passwords against a vast number of usernames. This method is specifically designed to evade account lockout policies and rate-limiting defenses, making it a highly effective way to discover weak credentials across an entire organization at scale.
The current campaign follows a three-phase execution model. First, the actors conduct aggressive scanning and spraying from Tor exit nodes to mask their origin. Once a valid credential is found, the actors proceed to the login phase. The final stage involves the exfiltration of sensitive data, with a particular focus on harvesting mailbox content from Microsoft 365 accounts.
Check Point’s analysis of M365 logs indicates that the tactics align with those used by Gray Sandstorm (formerly known as DEV-0343), a known Iranian threat group. The actors utilized red-team tools and commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), a pattern consistent with other recent Iran-nexus operations in the region.
Defending Cloud Environments
As these attacks evolve, security experts emphasize that traditional perimeter defenses are insufficient for cloud-native threats. To mitigate the risk of password spraying, organizations are urged to implement the following security controls:
- Enforce Multi-Factor Authentication (MFA): MFA remains the most effective deterrent against credential-based attacks.
- Conditional Access Policies: Limiting authentication attempts to approved geographic locations can block many automated sprays originating from foreign Tor nodes.
- Sign-in Log Monitoring: Regularly auditing logs for unusual patterns of failed login attempts across multiple accounts.
- Audit Log Activation: Ensuring comprehensive logging is enabled to facilitate post-compromise forensic investigations.
The Broader Landscape: Pay2Key and State-Sponsored Sabotage
The password-spraying campaign is part of a wider surge in Iranian cyber activity. In late February 2026, a U.S. Healthcare organization was targeted by Pay2Key, an Iranian ransomware-as-a-service (RaaS) operation with ties to the Fox Kitten group. This specific attack utilized an upgraded variant of the ransomware, featuring enhanced evasion and anti-forensics capabilities.
The Pay2Key intrusion began with the use of legitimate remote access tools, such as TeamViewer, to establish a foothold. Once inside, the actors harvested credentials for lateral movement and disabled Microsoft Defender Antivirus by spoofing the presence of a third-party security product. In a tactical shift, the group cleared system logs at the end of the execution process rather than the beginning, ensuring that the ransomware’s own activity was wiped from the record.
According to Halcyon, the group has also incentivized its affiliates by offering an 80% cut of ransom proceeds—up from 70%—for attacks specifically targeting enemies of the Iranian state.
| Threat Actor/Group | Primary Technique | Key Targets | Timeline |
|---|---|---|---|
| Gray Sandstorm | Password Spraying | Israel, U.A.E. M365 Orgs | March 2026 |
| Pay2Key | Ransomware (RaaS) | U.S. Healthcare | Feb 2026 |
| BQTlock | Ransomware | Israel, U.S., U.A.E. | Since July 2025 |
| Peach Sandstorm | Network Infiltration | Regional Infrastructure | Ongoing |
Blurring the Line Between Crime and Espionage
The emergence of BQTlock (Baqiyat 313 Locker) further complicates the threat landscape. Reports indicate that the administrator of the Sicarii ransomware, known as “Uke,” has urged pro-Iranian operators to migrate to BQTlock due to high demand. BQTlock operates with explicitly pro-Palestinian motives, targeting infrastructure in the U.S., Israel, and the U.A.E. Since July 2025.
This shift illustrates a growing convergence where state-sponsored sabotage is packaged as criminal extortion. By using ransomware, state actors can achieve destructive goals while maintaining a layer of plausible deniability, often framing the attacks as the operate of independent cybercriminals.
The persistence of these campaigns suggests that Iranian actors are refining their ability to traverse diverse file systems and disable advanced security modules like SELinux and AppArmor to ensure their encryptors run faster and survive system restarts.
As these threat actors continue to iterate on their toolsets, the next critical checkpoint for defenders will be the release of updated indicators of compromise (IOCs) from regional cybersecurity agencies and the continued monitoring of M365 authentication patterns across the Middle East.
We invite our readers to share their experiences with cloud security challenges or comment on the evolving nature of state-sponsored cyber threats below.
