Iran-Linked Password-Spraying Targets 300+ Israeli M365
🔒 Check Point reports an ongoing Iran-nexus password-spraying campaign against Microsoft 365 tenants, primarily impacting Israel and the U.A.E. in three waves on March 3, 13 and 23, 2026. The actor employed Tor exit nodes and commercial VPN infrastructure (AS35758) and used tools and techniques resembling Gray Sandstorm to scan, attempt logins, and exfiltrate mailbox content. Organizations are advised to enforce MFA, apply conditional access by geography, and monitor sign-in and audit logs for signs of compromise.
