Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations

An Iran-linked threat actor is conducting a sophisticated password-spraying campaign targeting over 300 Microsoft 365 organizations in Israel and the U.A.E. The attacks, occurring in three waves on March 3, 13, and 23, 2026, are assessed as ongoing and linked to escalating Middle East conflict. Check Point researchers identified the campaign's primary objective as credential compromise to gain unauthorized access to cloud environments. Organizations are advised to enforce strong, unique passwords, implement multi-factor authentication (MFA), monitor for suspicious login patterns, and enable conditional access policies to mitigate credential-based attacks. Security teams should review logs for brute force indicators and consider threat intelligence feeds to identify related activity.

An Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E. amid ongoing conflict in the Middle East. The activity, assessed to be ongoing, was carried out in three distinct attack waves that took place on March 3, March 13, and March 23, 2026, per Check Point. "The campaign is primarily

An Iran-linked threat actor is conducting a sophisticated password-spraying campaign targeting over 300 Microsoft 365 organizations in Israel and the U.A.E. The attacks, occurring in three waves on March 3, 13, and 23, 2026, are assessed as ongoing and linked to escalating Middle East conflict. Check Point researchers identified the campaign's primary objective as credential compromise to gain unauthorized access to cloud environments. Organizations are advised to enforce strong, unique passwords, implement multi-factor authentication (MFA), monitor for suspicious login patterns, and enable conditional access policies to mitigate credential-based attacks. Security teams should review logs for brute force indicators and consider threat intelligence feeds to identify related activity. An Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E. amid ongoing conflict in the Middle East. The activity, assessed to be ongoing, was carried out in three distinct attack waves that took place on March 3, March 13, and March 23, 2026, per Check Point. "The campaign is primarily An Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E. amid ongoing conflict in the Middle East. The activity, assessed to be ongoing, was carried out in three distinct attack waves that took place on March 3, March 13, and March 23, 2026, per Check Point. "The campaign is primarily