Check Point Research has been tracking an ongoing password-spraying campaign targeting Microsoft 365 environments across the Middle East, primarily in Israel and the UAE, conducted by an Iran-linked threat actor. These attackers have been targeting cloud environments of government entities, municipalities, energy-sector organizations, and private-sector companies amid the ongoing conflict in the Middle East, primarily in Israel and the UAE. Furthermore, activity associated with the same actor was also observed against a limited number of targets in Europe, the U.S., the U.K., and Saudi Arabia.
In a post this week, Check Point mentioned that the campaign was carried out in three distinct attack waves on March 3, March 13, and March 23. The activity primarily targeted municipalities, which play a critical role in responding to missile-related physical damage. Also, the researchers observed some correlation between the targets of this campaign and cities that were targeted by missile attacks from Iran during March. This suggests the campaign was likely intended to support kinetic operations and Bombing Damage Assessment (BDA) efforts.
“Unlike common brute-force attacks, password spraying targets multiple accounts with the same set of weak or commonly used passwords,” according to the post. “The technique is based on the assumption that at least one user will have weak credentials. In this campaign, the attackers used multiple source IP addresses to target numerous accounts, making detection based on atomic indicators such as IPs more difficult.”
It added that this technique is popular among advanced threat actors and has been used in the past by multiple advanced groups. Iran-nexus actors such as Peach Sandstorm and Gray Sandstorm are known to use this method for initial access and exfiltration.
The campaign targets multiple sectors, with Israel’s municipal sector appearing to be the primary focus, both in the number of organizations targeted and in the volume of password-spraying attempts per organization.
Detailing the attack cycle, Check Point said the scan phase involves intensive password-spraying against hundreds of organizations, primarily in Israel and the United Arab Emirates. The activity is routed through frequently changing Tor exit nodes to evade blocking and uses a User-Agent string that masquerades as Internet Explorer 10: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0).
The infiltration phase begins once valid credentials are identified, with attackers completing full login processes using VPN IP ranges associated with Windscribe (185.191.204.X) and NordVPN (169.150.227.X), geolocated in Israel to bypass geo-restrictions. In the exfiltration phase, attackers exploit the compromised credentials to access sensitive data, including personal email content.
When it comes to attribution, Check Point Research assesses with moderate confidence that the actor behind the M365 password-spray activity originates from Iran. “This assessment is based on the activity profile’s alignment with Iranian interests, including targeting of Israeli local government entities and organizations in the satellite, aviation, energy, and maritime sectors.”
Analysis of M365 logs suggests similarities to Gray Sandstorm, including the use of red-team tools to conduct these attacks via Tor exit nodes. The threat actor used commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), which aligns with recent activity tied to Iran-nexus operations in the Middle East.
The post advised organizations to strengthen detection, access control, and post-incident visibility to mitigate password spray attacks. It suggests monitoring sign-in logs to identify password spray anomalies, particularly patterns involving multiple authentication failures across numerous user accounts originating from a single source IP address.
The post also advised restricting access through geo-fencing and blocking TOR IP addresses, using conditional access policies to limit authentication to approved geographic locations while preventing access from high-risk anonymization networks, including TOR exit nodes.
It further emphasized enforcing multi-factor authentication across the tenant for all users, with stricter controls for privileged and administrative roles, alongside maintaining strong credential hygiene through regular password updates aligned with organizational policy and risk posture. Finally, the post advised enabling and retaining audit logs to support post-compromise investigations, allowing security teams to analyze activity following any suspected successful password spray attempt.
Cyber threat activity across North America is being reshaped by scale, speed, and automation, with Check Point warning that attacks are no longer episodic but persist at consistently high levels. Organizations are facing thousands of attacks weekly, reflecting a sustained pressure environment where elevated volumes have effectively become the baseline rather than the exception. This shift signals a transition from sporadic campaigns to continuous, industrialized cyber operations targeting high-value economic regions.
The report points to artificial intelligence as a central force multiplier, accelerating every stage of the attack lifecycle from reconnaissance to execution. Threat actors are increasingly leveraging automation and AI to scale operations, reduce time-to-compromise, and launch more coordinated, multi-channel campaigns. This evolution is also lowering barriers to entry, enabling less sophisticated actors to execute advanced attacks while making social engineering more convincing and harder to detect.
Ransomware and data extortion continue to dominate the North American threat landscape, with the region accounting for a significant share of global incidents due to its concentration of high-value targets. At the same time, the ecosystem is fragmenting into smaller, specialized groups, often operating within ransomware-as-a-service models. These groups are increasingly combining credential theft, AI-enabled targeting, and identity-based attacks, reinforcing a broader shift toward ‘log in rather than break in’ tactics that exploit trusted access instead of traditional perimeter defenses.
Last September, Check Point researchers noted a long-running campaign by the Iranian threat actor Nimbus Manticore, which overlaps with UNC1549, Smoke Sandstorm, and the ‘Iranian Dream Job’ operations. The campaign targets defense manufacturing, telecommunications, and aviation, aligned with IRGC strategic priorities, with recent activity showing a heightened focus on Western Europe, particularly Denmark, Sweden, and Portugal. Nimbus Manticore impersonates local and global aerospace, defense manufacturing, and telecommunications organizations.
