Summary:

An Iran-linked threat actor is actively conducting password-spraying campaigns against Microsoft 365 environments, impacting over 300 organizations in Israel and at least 25 in the UAE, with minimal activity observed in other regions. The attacks leverage anonymization infrastructure such as Tor and commercial VPN services to evade detection while exploiting weak or reused credentials to gain unauthorized access.

Once access is obtained, attackers are able to exfiltrate sensitive data and potentially enable further compromise. The activity aligns with known Iranian threat actor tradecraft and reflects a broader trend of state-aligned operations combining espionage and ransomware capabilities. This campaign highlights critical gaps in identity security and reinforces the need for strong authentication controls, conditional access enforcement, and continuous monitoring of authentication activity.

‍

Technical Description:

The campaign follows a structured attack chain beginning with reconnaissance and password spraying conducted through Tor exit nodes and commercial VPN infrastructure. This allows attackers to test commonly used passwords across multiple Microsoft 365 accounts while avoiding detection thresholds such as account lockouts.

Upon successful authentication, access is gained through legitimate login mechanisms, enabling persistence while minimizing detection. Post-compromise activities include accessing email accounts, collecting sensitive information, and potentially leveraging red-team tools for further reconnaissance and lateral movement.

The use of anonymized infrastructure combined with credential-based access techniques demonstrates a stealth-focused approach that prioritizes scalability and evasion of traditional security controls. The details and technicalities of the attack campaign are discussed further,

‍

Delivery and Infection Chain:

The campaign is executed using a password-spraying technique targeting Microsoft 365 authentication endpoints. Unlike traditional attacks involving phishing or malware, this approach relies on exploiting weak credentials through legitimate login interfaces.

The use of anonymization services such as Tor and VPNs allows attackers to bypass geographic restrictions and reduce detection likelihood. The Infection chain was identified as follows,

• The threat actor performs reconnaissance to identify valid user accounts and exposed Microsoft 365 authentication endpoints
• A password-spraying attack is conducted using common or previously leaked passwords across multiple accounts while avoiding account lockouts
• Successful authentication provides access through legitimate login flows, establishing an initial foothold without triggering security alerts
• The attacker accesses mailboxes, collects sensitive data, and harvests additional credentials to expand access
• Persistence is maintained while enabling lateral movement and preparing for potential data exfiltration or ransomware deployment

‍

Technical Capabilities:

The threat actor demonstrates strong capabilities in identity-based attack execution and stealth operations. Password spraying is used to systematically exploit weak or reused credentials at scale while avoiding detection mechanisms such as account lockouts or anomaly thresholds.

The use of anonymization infrastructure such as Tor and VPN services enhances operational stealth by masking the origin of login attempts and bypassing geographic controls. Once access is achieved, attackers rely on legitimate authentication workflows and living-off-the-land techniques to blend into normal user activity, reducing the effectiveness of traditional detection tools.

In post-compromise stages, the actor exhibits advanced operational maturity through the use of credential harvesting techniques, red-team tools, and defense evasion strategies. They are capable of accessing and exfiltrating sensitive data, particularly from email systems, while maintaining persistence within the environment. In some cases, ransomware capabilities may be introduced, including disabling security controls and executing encryption routines. Anti-forensic techniques such as log clearing further complicate detection and response efforts.

‍

Attribution and Evolution:

The activity is attributed to Iranian threat actors, with tradecraft similarities observed with groups such as Peach Sandstorm and Gray Sandstorm. These groups have historically focused on credential-based attacks and are now increasingly integrating ransomware capabilities into their operations.

The re-emergence of ransomware operations such as Pay2Key, combined with improved evasion techniques and scalable attack methods, indicates a shift toward financially motivated operations that also align with geopolitical objectives.

‍

Active Campaign and Geographic Spread:

The campaign has been observed in multiple waves during March 2026, primarily targeting organizations in Israel and the United Arab Emirates. Over 300 organizations in Israel and at least 25 in the UAE have been impacted.

Limited activity has been noted in regions such as Europe, the United States, the United Kingdom, and Saudi Arabia. The targeted sectors include government entities, municipalities, energy, transportation, and private enterprises, indicating a broad strategic focus across critical industries.

‍

Conclusion:

This campaign highlights the growing effectiveness of identity-based attacks and the continued reliance of advanced threat actors on exploiting weak credentials. The combination of espionage and ransomware capabilities reflects an evolving threat landscape where attackers pursue both financial and geopolitical objectives.

Organizations must prioritize identity security, enforce strong authentication mechanisms, and enhance monitoring capabilities to defend against increasingly sophisticated and persistent credential-based attacks.

‍

Impact:

Successful attacks can result in unauthorized access to sensitive cloud-based data, particularly email communications, enabling intelligence gathering and data exposure. Credential compromise and persistence increase the risk of lateral movement and privilege escalation within enterprise environments.

Even in the absence of immediate data exfiltration, attackers may deploy ransomware, leading to operational disruption, data encryption, financial loss, and reputational damage.

‍

IOC and Context Details:

‍

Recommended Actions:

• Enforce multi-factor authentication for all users, prioritizing privileged and remote access accounts
• Conduct continuous vulnerability scanning to identify exposed assets and misconfigurations in real time.
• Restrict and monitor the use of remote monitoring and management tools, enforcing strong authentication and least-privilege access.
• Deploy endpoint detection and response solutions capable of detecting abnormal PowerShell, PsExec, and Impacket activity.
• Enforce multi-factor authentication across all administrative accounts and sensitive systems.
• Monitor network traffic for anomalous data transfers, particularly to external or cloud-based destinations.
• Maintain secure, offline backups of critical data and regularly test recovery procedures.
• Provide ongoing cybersecurity awareness training focused on phishing, social engineering, and suspicious activity detection.

‍

Reference:

https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/