Password spraying in Microsoft 365: the campaign that exposes the vulnerability of the cloud to state actors

Amidst the escalation of the conflict in the Middle East, a cyber-attack campaign directed at Microsoft 365 environments has brought to the fore organizations in the region. According to the analysis published by the security firm Check Point, an actor with links to Iran reportedly executed three waves of targeted gross force access attempts on 3, 13 and 23 March 2026, focusing mainly on Israel and the United Arab Emirates and affecting hundreds of local entities.

The technique used - known as password spraying - is to test the same common password against many different users in a given application, a tactic that reduces the likelihood of activating blocking mechanisms by failed attempts and allows to discover weak credentials on a scale. Check Point relates this approach to patterns that in the past have been attributed to Iranian groups such as Peach Sandstorm and Gray Sandstorm (also identified in other locations by industry), and notes that the attack developed in phases: aggressive sweep from Tor's exit nodes, authentication attempts and, in cases where they achieved access, removal of sensitive information such as the content of mail mailboxes.

The technical report of the Israeli company also describes the use of "red-team" tools and the use of commercial anonimization and VPN infrastructure - including nodes associated with AS35758 - to hide the origin of the connections. Although the focus was Israel and the UAE, Check Point detected activity related to the same actor against targets in Europe, the United States, the United Kingdom and Saudi Arabia, and points to the victims ranging from government agencies and municipalities to sectors such as technology, transport and energy.

This type of campaign shows two critical realities: on the one hand, the persistence and sophistication capacity of actors operating from or with links to States; on the other, the inherent vulnerability of many cloud environments when basic in-depth defence controls are not applied.

Recommendations to defend themselves from password spraying attempts are well known and, however, still not implemented in a homogeneous manner. Monitoring log-in records to detect abnormal patterns, imposing conditional access controls that limit authentication to permitted locations, requiring multi-factor authentication (MFA) for all accounts and activating the audit registry to allow further investigations are basic but effective measures. Microsoft maintains practical guides on how to set up conditional access and MFA in Azure / Microsoft 365 environments that are useful for any administrator: Microsoft conditional access guide and MFA documentation.

The regional context amplifies the risk: these are not isolated incidents, but a dynamic where cyberspace has become a further area of geopolitical confrontation. In parallel to access and exfiltration campaigns, there has been an increase in Ransomware operations and other sabotage activities that mix political motivations and profit, blurring the border between organized crime and operations with state support or tolerance.

A recent and relevant example is the attack on a health organization in the United States in late February 2026 attributed to the Pay2Key group, a Ransomware operation that, according to independent and insurance investigations, shows links with Iranian operators. In that incident, the attackers reportedly used an unpublicly determined access route, taking advantage of legitimate remote access tools to establish presence, collect credentials, disable defenses and deploy the cipher. Reports of signatures such as Halcyon and Beazley provide details on how these actors have evolved their techniques: from the falseum of the state of antivirus solutions to the cleaning of records at the end of the execution to erase traces of their own actions. More general information on the appearance and tactics of Ransomware groups can be found in Halcyon's publications and in industry analysis: Halcyon - threat analysis and Beazley - resources on cyberincidents.

In addition, Ransomware variants adapted to Linux environments have been observed that further complicate the response, designed to run with root privileges, travel wide range of file system and use modern ciphers such as ChaCha20, as well as disable security mechanisms and ensure persistence after rebeginning. Recent technical research on samples and behaviour of these variants have been published by security companies such as Morphyec, which document techniques of defenses weakening and persistence: Morphisec - technical blog.

In the Ransomware ecosystem, movements between operators and affiliates have also been reported: Ransomware family administrators have encouraged certain groups to adopt other ciphers or to retake advantage of politically-ideological families, driving a circulation of tools and tactics in the cybercrime subworld that eventually impact on civil and business objectives. This phenomenon reinforces the thesis that many contemporary campaigns combine geopolitical objectives with criminal business models, and that the objectives in the region - from critical infrastructure to service providers - are particularly desirable.

What can an organization do today? Beyond applying MFA and conditional access controls, it is key to maintain an account hygiene: restrict accounts with privileges, rotate and rule out default passwords, implement end-point detection and mail environments, and practice response and recovery plans that include resistant backup and proven restoration procedures. Visibility is critical: the recording and analysis of telemetry of authentication and cloud activities allow to detect sweep patterns and side movements before intrusion results in mass exfiltration or encryption.

Finally, it should be recalled that cyberdefence is not only a technical issue but also an organizational and political one. The collaboration between sectors, the exchange of intelligence between companies and with national agencies, and the continued adoption of good practices by suppliers and customers are necessary elements to reduce the impact of these campaigns. For those who manage Microsoft 365 environments, the guides and tools published by the supplier and the incident response community are a good starting point: Monitoring and identity reports in Azure AD.

The threat landscape changes quickly and often without large public announcements: attacks that start with a simple attempt to password can become gaps with severe economic and operational consequences. The best defense is to anticipate with well-configured basic controls, continuous visibility and tuned response procedures. To keep up with these threats and technical recommendations, it is appropriate to follow the publications of the specialized firms and the incident response centres that document and analyse these events in real time.