Iran-Linked Password-Spraying Campaign Targets More Than 300 Israeli Microsoft 365 Organizations

What happened

An Iran-linked password-spraying campaign targeted Microsoft 365 environments in Israel and the United Arab Emirates through three attack waves on March 3, March 13, and March 23, 2026. The activity affected more than 300 organizations in Israel and more than 25 in the U.A.E., with additional limited targeting observed in Europe, the United States, the United Kingdom, and Saudi Arabia. The campaign focused on cloud environments used by government entities, municipalities, and organizations in the technology, transportation, and energy sectors, as well as private companies. The operation followed a three-step pattern: aggressive scanning or password spraying through Tor exit nodes, login activity, and exfiltration of sensitive data such as mailbox content. The activity was assessed as ongoing. 

Who is affected

The direct exposure affects organizations using Microsoft 365 in Israel and the U.A.E., particularly government bodies, municipalities, and entities in technology, transportation, energy, and the private sector. The campaign also reached a smaller number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia. 

Why CISOs should care

This matters because the campaign is targeting cloud identities at scale and is moving beyond simple credential guessing into mailbox access and data theft. It also shows continued pressure on Microsoft 365 environments in sensitive sectors and regions, with infrastructure and techniques that resemble earlier Iran-linked operations. 

3 practical actions

1. Monitor for password-spraying patterns: Review sign-in logs for repeated login attempts against many accounts from Tor exit nodes or other suspicious infrastructure. 
2. Limit authentication by geography: Apply conditional access controls to restrict sign-ins to approved locations where possible. 
3. Strengthen identity visibility and controls: Enforce MFA for all users and enable audit logging to support post-compromise investigation if mailbox access or data theft is suspected. 

For more news about cloud identity attacks and targeted intrusion activity, click Cyberattack to read more.