Iran-Linked Password-Spraying Hits Israeli Microsoft 365 Accounts
If you only read one thing: A suspected Iran-linked campaign used password spraying against Microsoft 365 tenants in Israel and the UAE, raising the risk of account takeover.
As of April 7, 2026: As of April 7, 2026, the activity is reported as ongoing and tied to three March attack waves.
What happened
Three attack waves hit in March 2026. They landed on March 3, March 13, and March 23, according to Check Point Research and the report at The Hacker News.
The suspected actor has an Iran nexus. Targets included Microsoft 365 tenants in Israel and the U.A.E.
This was a password-spraying campaign, not malware delivery. That difference matters. The attacker tries a small set of common or reused passwords across many accounts, hoping one login works without triggering a lockout.
Quiet attacks can still do damage.
Practical takeaway: if users reuse weak passwords, Microsoft 365 becomes easier to probe at scale. One exposed account can open the door to mailbox access, file theft, and internal phishing.
Why are Microsoft 365 tenants exposed? Because the platform is a high-value target, and password-based sign-ins still fail when credentials are predictable. Microsoft’s security guidance on identity protection and sign-in risk explains the controls defenders should check, including stronger authentication and account monitoring. See Microsoft Security guidance. Microsoft 365 security basics how password spraying works cloud account takeover signs
The scale is the warning sign. When one campaign reaches hundreds of organizations, the goal is usually account access, not a noisy intrusion.
Weak passwords are the real entry point.
- Password spraying
- Trying one or a few common passwords against many accounts. It avoids the lockout pattern that trips brute-force defenses.
- Microsoft 365 tenant
- An organization’s cloud workspace. It includes email, files, and identity controls tied to Microsoft accounts.
- Account takeover
- Unauthorized access to a valid account. Once inside, an attacker can blend in with normal traffic.
Last reviewed: April 7, 2026
Why it matters
A successful Microsoft 365 compromise is not just an inbox problem. It can expose email, shared documents, internal chat, and the sign-in tokens that keep sessions alive.
That last part matters. OAuth 2.0, defined in RFC 6749, lets apps access cloud resources without reusing the password itself. If an attacker steals a valid session or token, they may skip the password entirely.
From there, the damage can spread. Mailboxes reveal contacts and resets. Documents can expose contracts, credentials, or internal plans.
Chat logs often show who approves what, which makes follow-on fraud much easier.
Password spraying also slips past noisy brute-force defenses. Instead of hammering one account, it tries a few common passwords across many accounts. That pattern is quieter, and it can stay below lockout thresholds.
The regional context is direct. Check Point tied the campaign to Israeli and U.A.E. Microsoft 365 tenants, with activity reported in multiple waves. No wider claim is needed to see the risk.
The bigger concern is lateral movement into other cloud services. Once one identity is trusted, attackers often test adjacent apps, shared drives, and single sign-on paths. That can turn one mailbox into a wider cloud breach.
Source: Check Point research.
Last reviewed: April 7, 2026
What to watch next
Defenders should start with sign-in logs. Look for repeated low-rate failures across many accounts, then a sudden success from the same source.
That pattern fits a password-spraying campaign.
Impossible travel alerts matter too. A login from one region, then another within minutes, deserves a closer look. Legacy authentication is another weak point.
Disable older protocols where possible, since they often bypass stronger controls.
| Signal | What it can mean |
|---|---|
| Repeated low-rate failures | Spraying across many users |
| Impossible travel | Account reuse or proxying |
| Legacy auth use | Bypass of MFA controls |
| Tenant-wide password resets | Containment after compromise |
Also check for MFA fatigue, especially if users report repeated prompts. Review conditional access rules. Are they enforcing device, location, and risk checks the way you expect? If not, tighten them.
Review admin consent grants, too. A sprayed account can become a foothold if an attacker later approves a malicious app. Cloud access often outlives the original password issue.
So far, the activity has been tied to Israel and the UAE. There is no public basis here to claim broader expansion. Last reviewed: April 7, 2026
Readers often ask
Readers often ask: what is a password-spraying campaign?
A password-spraying campaign is a low-and-slow login attack. The attacker tries a few common passwords across many accounts instead of hammering one account with guesses.
That approach helps avoid lockouts. It also works well against reused or weak passwords.
Readers often ask: how does password spraying affect Microsoft 365 accounts?
Microsoft 365 accounts can expose email, files, calendars, and shared workspaces after one successful login. That gives an attacker a lot of reach from a single password.
Valid access can also help them move into other cloud services tied to the same identity. That is why sign-in monitoring matters so much.
Readers often ask: what should IT verify first after this campaign?
Start with sign-in logs. Look for repeated low-rate failures, unfamiliar locations, and legacy authentication use.
Then review MFA coverage, conditional access rules, and recent password reset events. If you see one weak point, assume there may be more.
Readers often ask: why does this password-spraying campaign matter for network security?
It targets identity, not the firewall. That makes it harder to spot with older perimeter controls.
Attackers like this method because it scales quietly. One weak password can become a foothold in the whole environment.
Readers often ask: is password spraying still a risk on public Wi‑Fi?
Yes, but public Wi‑Fi is not the main issue here. The real risk is weak or reused credentials being tested against cloud sign-in pages from anywhere.
Public networks can add exposure if users ignore MFA prompts or fall for fake login pages. Use of HTTPS does not fix a bad password.
Readers often ask: how is Iran-linked threat activity connected to this campaign?
Threat reports can link password-spraying activity to specific operators based on infrastructure, timing, and victim selection. That attribution can change as investigators collect more evidence.
For defenders, the practical point is simpler. Treat the activity as a credential attack and verify identity controls, regardless of the label.
Readers often ask: how are Israeli organizations related to this password-spraying campaign?
Reports may identify Israeli organizations as a target set. That means the campaign likely focused on accounts with access to email, documents, and internal collaboration tools.
Organizations in any region should still check for the same signs. Attackers usually reuse the same method across many sectors.
Last reviewed: April 7, 2026
