Skip to main content
Emerging ThreatsMalware & Ransomware

Iranian Hackers Launch Sustained Password-Spraying Attack on Israeli Microsoft 365 Users

Iranian Hackers Launch Sustained Password-Spraying Attack on Israeli Microsoft 365 Users

Who is knocking at the doors of hundreds of cloud inboxes in the midst of a regional conflict — and what happens if they get in? That is the urgent question raised by a recently reported campaign of password-spraying attacks that security researchers say targeted Microsoft 365 tenants across Israel and the U.A.E.

What the reporting found

Researchers attribute the campaign to an “Iran-nexus” threat actor and describe the activity as ongoing. According to reporting by The Hacker News, the campaign targeted more than 300 Israeli Microsoft 365 organizations. Check Point, the security vendor cited in the reporting, says the activity unfolded in three distinct waves on March 3, March 13, and March 23, 2026.

Context and contours of the attacks

The available reporting identifies the adversary only as having an Iran nexus and specifies the technique used as password spraying against Microsoft 365 environments in Israel and the U.A.E., timed amid ongoing conflict in the Middle East. Check Point assessed the activity as continuing at the time of the report. Beyond those core details, the published account focuses on the timing, geographic scope, and repeated-wave pattern described by the vendor.

Why this matters to different audiences

  • Technologists: Repeated, distributed waves of login-focused activity — occurring across multiple dates and affecting hundreds of organizations per the reporting — imply a need for close monitoring of authentication logs and investigation of anomalous sign-in patterns, according to Check Point’s assessment cited in the report.
  • Policymakers and leaders: The campaign’s timing “amid ongoing conflict in the Middle East,” as noted in the reporting, highlights how geopolitical tensions can coincide with cyber activity that crosses borders and targets critical cloud platforms.
  • Users and organizations: The scope described in the reporting — Israeli and U.A.E. Microsoft 365 environments being targeted over several waves — underscores potential disruptions to business and communications continuity if adversaries achieve access, a concern raised by the pattern Check Point documented.
  • Adversaries: The campaign’s repeated waves and geographic focus, as reported, suggest an operational tempo designed to probe and exploit authentication weaknesses over time rather than a single-shot attempt.

What to watch next

Check Point’s assessment that the activity was ongoing at the time of the report means investigators and defenders will be looking for further waves, changes in targeting, or new techniques. The combination of a named regional nexus, cloud-focused targets, and multiple attack dates — March 3, March 13, and March 23, 2026 — forms the factual spine of the incident as reported; analysts and decision-makers will judge significance as new telemetry and attribution details become available.

If a threat actor times repeated attempts against broad swathes of cloud tenants during a period of geopolitical tension, how will defenders, users, and policymakers adapt to close those doors before they are opened?

https://thehackernews.com/2026/04/iran-linked-password-spraying-campaign.html