Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations
Summary
An Iran-linked threat actor has been conducting a large-scale password-spraying campaign targeting over 300 Israeli Microsoft 365 organizations, with some activity also observed in the UAE. The campaign, which occurred in multiple waves in March 2026, aims to gain unauthorized access to accounts during a period of geopolitical conflict.
IFF Assessment
This campaign represents a direct attack on corporate credentials and infrastructure, increasing the risk of account compromise and subsequent breaches for targeted organizations.
Defender Context
Defenders should be aware of the increased risk of password-spraying attacks, especially those targeting cloud-based productivity suites like Microsoft 365. Implementing robust multi-factor authentication (MFA) and monitoring for anomalous login patterns, such as repeated failed login attempts from multiple IPs or unusual times, are crucial defensive measures.