A large-scale password spraying campaign against Microsoft 365 (M365) tenants has been observed amid escalating tensions in the Middle East. According to Check Point, the activity is linked to Iranian cyber operators and primarily targets organizations in Israel and the United Arab Emirates (UAE), with additional victims reported in Europe, the United States, the United Kingdom and Saudi Arabia.
Scope of the Microsoft 365 Password Spraying Campaign
Researchers report that the campaign is ongoing and progressing in distinct waves, with notable peaks on 3, 13 and 23 March 2026. More than 300 organizations in Israel and over 25 organizations in the UAE have been targeted so far.
The attacks span a wide range of sectors, including government agencies, municipalities, transportation, energy and technology companies, as well as private businesses. The primary objective is access to cloud-based Microsoft 365 services such as Exchange Online mailboxes, OneDrive storage and associated collaboration tools.
Compromising these accounts enables attackers to steal sensitive emails and documents, pivot further into the corporate environment and potentially stage follow-on operations such as espionage, data extortion or destructive attacks.
What Is Password Spraying and Why It Threatens Microsoft 365
Password spraying is a form of credential guessing where attackers test one or a few very common passwords against a large number of usernames. Unlike classic brute force attacks that hammer a single account with many different passwords, password spraying distributes attempts across many accounts to avoid detection and lockouts.
This low-and-slow approach helps bypass rate limits and account lock policies, making it particularly effective against cloud services like Microsoft 365, where organizations often expose authentication endpoints on the public internet. Weak or reused passwords significantly increase the success rate of such campaigns.
Links to Peach Sandstorm and Gray Sandstorm TTPs
Check Point notes that the techniques and infrastructure used in this campaign closely resemble those of known Iranian threat groups Peach Sandstorm and Gray Sandstorm (formerly DEV‑0343), both historically focused on government and critical infrastructure targets.
Analysis of Microsoft 365 sign-in logs highlighted tactics consistent with Gray Sandstorm, including the use of red-team tooling routed through the Tor anonymity network. The observed infrastructure combines Tor exit nodes with commercial VPN services, including nodes hosted in autonomous system AS35758 (Rachamim Aviel Twito), aligning with previously reported Iran-aligned operations in the region.
Three-Phase Attack Chain Against Microsoft 365 Tenants
Researchers describe a three-phase attack pattern in the Microsoft 365 password spraying campaign.
In the first phase, attackers perform aggressive scanning and password spraying from Tor and VPN IP addresses against extensive lists of corporate usernames. The goal is to identify any accounts that still rely on weak, guessable passwords.
In the second phase, once valid credentials are obtained, attackers establish persistent access, logging into mailboxes and other M365 services. They may create additional mail rules, register new devices, or integrate third-party apps to maintain footholds.
The third phase focuses on data exfiltration. Adversaries systematically download mailbox contents, documents from OneDrive and SharePoint, and collect metadata that can later support targeted phishing, disinformation or blackmail campaigns.
Iranian Ransomware: Pay2Key Resurgence and BQTLock Adoption
In parallel with the Microsoft 365 activity, the Iran-linked ransomware ecosystem is evolving. In late February 2026, a major U.S. healthcare organization was hit by Pay2Key ransomware, a strain operated in a ransomware-as-a-service (RaaS) model and associated by researchers with the Fox Kitten group active since at least 2020.
According to Beazley Security and Halcyon, the attackers did not publish stolen data, diverging from the now-standard “double extortion” model. Instead, they prioritized rapid encryption and operational disruption.
The intrusion chain reportedly included an as-yet-undisclosed initial access vector, deployment of legitimate remote access tools (such as TeamViewer), credential theft for lateral movement, disabling Microsoft Defender Antivirus by simulating the presence of a third-party AV solution, sabotage of recovery mechanisms, ransomware deployment, ransom note creation and comprehensive log wiping to conceal traces.
Notably, event logs are cleared at the end of the attack, erasing evidence of both pre-encryption activity and the encryption process itself, which complicates forensic investigations.
After re-emerging in 2025–2026, Pay2Key reportedly adjusted its RaaS terms, offering affiliates up to 80% of ransom proceeds (previously 70%) for attacks against “enemies of Iran.” At the same time, researchers observed a new Linux variant of Pay2Key, described as configuration-driven malware requiring root privileges, scanning file systems and encrypting data using ChaCha20 while weakening defenses by stopping services, disabling SELinux and AppArmor, and persisting via cron jobs.
Halcyon also reports that the administrator of the Sicarii ransomware, known as Uke, has encouraged pro-Iran operators to migrate to Baqiyat 313 Locker (BQTLock). Active since July 2025 and claiming pro-Palestinian motives, BQTLock has targeted organizations in the UAE, the U.S. and Israel, reinforcing the trend of politically aligned ransomware operations.
Defensive Measures for Microsoft 365 and Ransomware Resilience
Organizations relying on Microsoft 365 and other cloud platforms should implement layered defenses to mitigate password spraying and ransomware threats.
First, continuous monitoring of sign-in logs is critical. Security teams should configure alerts for multiple failed logons across different accounts, especially from Tor, commercial VPNs and unusual geolocations. Centralized log aggregation and correlation significantly improve detection capacity.
Second, enforce Conditional Access policies to restrict sign-ins to known countries, corporate IP ranges or trusted VPN gateways. Mandatory multi-factor authentication (MFA) for all users remains one of the most effective countermeasures against credential-based attacks on Microsoft 365.
Third, ensure that auditing and mailbox logging are enabled and regularly exported to secure, tamper-resistant storage. In the event of an incident, this data is vital for reconstructing the attack path, identifying compromised accounts and closing exploited gaps.
To reduce ransomware impact, maintain regular offline backups, segment networks to limit lateral movement, restrict and monitor remote administration tools, and apply security updates promptly. Combining robust technical controls with user awareness training and proactive threat hunting significantly lowers the risk from both password spraying campaigns and increasingly sophisticated, politically motivated ransomware operations that blur the line between cybercrime and state-aligned sabotage.
