Full Report
Check Point Research has been tracking an ongoing password-spraying campaign targeting Microsoft 365 environments across the Middle East,... The post Check Point tracks Iranian password-spraying waves targeting government and energy sectors in Israel and UAE appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Iran-Linked Actor (Aligned with Gray Sandstorm)
## Attribution & Identity
* **Identification:** Iran-nexus threat actor.
* **Confidence Level:** Moderate confidence assessment by Check Point Research.
* **Associated Groups/Aliases:**
* **Gray Sandstorm** (formerly DEV-0343): The actor shares TTPs and log profile similarities with this group.
* **Peach Sandstorm:** Noted as a similar Iran-nexus group known for these techniques, though not definitively linked to this specific campaign.
* **Motivation:** Geopolitical intelligence gathering, supporting kinetic military operations (targeting cities recently hit by missiles), and Bombing Damage Assessment (BDA).
## Activity Summary
Check Point Research tracked an ongoing password-spraying campaign targeting Microsoft 365 (M365) environments. The operation was characterized by three distinct "waves" occurring on **March 3, March 13, and March 23** (assumed 2026 based on the article date). The campaign targeted organizations critical to national infrastructure and emergency response in the Middle East during a period of heightened conflict.
## Tactics, Techniques & Procedures
* **Password Spraying:** Targeted multiple accounts across hundreds of organizations using sets of weak or common passwords to avoid account lockout triggers.
* **Tor Obfuscation:** Initial scanning and spraying activities were routed through frequently rotating Tor exit nodes to evade IP-based blocking.
* **User-Agent Masquerading:** Used a specific string to appear as legacy traffic: `Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)`.
* **Geo-Restriction Bypass:** Used commercial VPN services (Windscribe and NordVPN) with IP addresses geolocated in Israel to appear as legitimate local traffic during the infiltration phase.
* **MITRE ATT&CK IDs:**
* **T1110.003:** Brute Force: Password Spraying
* **T1071.001:** Application Layer Protocol: Web Protocols
* **T1090.003:** Proxy: Multi-hop Proxy (Tor)
* **T1566:** Phishing/Credential Access (Inferred context for M365)
## Targeting
* **Sectors:** Government entities, Municipalities (primary focus), Energy, Satellite, Aviation, Maritime, and Private-sector companies.
* **Geography:**
* **Primary:** Israel and the United Arab Emirates (UAE).
* **Secondary:** United States, United Kingdom, Saudi Arabia, and various European countries.
* **Victims:** Specifically noted focuses on Israeli municipal governments responsible for responding to missile-related physical damage.
## Tools & Infrastructure
* **Cloud Platform:** Microsoft 365 environments.
* **VPN Services:**
* Windscribe: `185[.]191[.]204[.]X`
* NordVPN: `169[.]150[.]227[.]X`
* **Hosting:** Commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito).
* **Other Tools:** Red-team tools (unspecified) used via Tor.
## Implications
This campaign represents a strategic fusion of cyber activities with kinetic military operations. By targeting municipalities and energy sectors during periods of missile conflict, the actor likely sought to assess the impact of physical strikes (BDA) and disrupt or monitor the civil response to attacks. The transition from broad scanning to precise VPN-based infiltration demonstrates a high level of operational maturity.
## Mitigations
* **Detection:** Monitor M365 sign-in logs for anomalies where multiple failed authentication attempts across different accounts originate from a single IP or Tor exit node.
* **Access Control:** Implement strictly enforced Multi-Factor Authentication (MFA), specifically FIDO-based or hardware tokens which are resistant to credential-based attacks.
* **Visibility:** Enhance post-incident visibility to track data exfiltration from personal email content once an account is compromised.
* **Geo-Blocking:** While the actor used local VPNs to bypass this, organizations should still audit logins from unexpected geolocations or known commercial VPN/Tor exit nodes.