Full Report
An Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the U.A.E. amid ongoing conflict in the Middle East. The activity, assessed to be ongoing, was carried out in three distinct attack waves that took place on March 3, March 13, and March 23, 2026, per Check Point. "The campaign is primarily
Analysis Summary
# Threat Actor: Iran-Nexus Actor (Associated with Gray Sandstorm / Peach Sandstorm)
## Attribution & Identity
* **Identification:** Iran-nexus threat actor.
* **Aliases:**
* **Gray Sandstorm** (formerly DEV-0343) - Cited for TTP similarities.
* **Peach Sandstorm** - Cited for historical use of similar techniques.
* **Associated Groups:** **Pay2Key** and **Fox Kitten** (referenced in the context of recent overlapping Iranian operations).
## Activity Summary
The actor is currently engaged in an ongoing password-spraying campaign targeting Microsoft 365 (M365) environments. The activity occurred in three primary waves in 2026:
* Wave 1: March 3, 2026
* Wave 2: March 13, 2026
* Wave 3: March 23, 2026
The campaign involves large-scale scanning, credential harvesting, and mailbox data exfiltration.
## Tactics, Techniques & Procedures
* **Password Spraying:** Utilizing a single common password against numerous usernames to bypass account lockout/rate-limiting policies.
* **Reconnaissance:** Aggressive scanning of target environments.
* **Anonymization:** Extensive use of **Tor exit nodes** to conduct spraying and login attempts.
* **Data Exfiltration:** Accessing and exfiltrating sensitive mailbox content post-compromise.
* **Evasion:** Using commercial VPN nodes to mask origin.
* **Lateral Movement (Pay2Key variant):** Use of legitimate tools like TeamViewer and harvesting credentials.
* **Anti-Forensics:** Clearing system logs at the end of execution and disarming Microsoft Defender by spoofing the presence of third-party antivirus.
## Targeting
* **Sectors:** Government entities, municipalities, Technology, Transportation, Energy, and various private-sector companies.
* **Geography:** Primarily **Israel** (300+ organizations) and the **U.A.E.** (25+ organizations). Limited activity observed in Europe, the U.S., the U.K., and Saudi Arabia.
* **Victims:** Over 325 organizations in the Middle East; one U.S. healthcare organization (targeted by the associated Pay2Key group).
## Tools & Infrastructure
* **Malware/Tools:**
* **Pay2Key Ransomware:** (Specifically a Linux variant and an upgraded Windows version).
* **TeamViewer:** Used for persistent remote access.
* **Red-team tools:** Utilized for scanning and spraying.
* **Infrastructure:**
* **Tor Exit Nodes**
* **AS35758** (Rachamim Aviel Twito) - Commercial VPN nodes.
* Defanged URLs/IPs mentioned by context: `https[:]//thehackernews[.]com/2026/04/iran-linked-password-spraying-campaign[.]html`
## Implications
This activity represents a persistent strategic effort by Iranian actors to collect intelligence and exert pressure on regional adversaries (Israel and U.A.E.) amid geopolitical conflict. The shift toward a "configuration-driven" Linux variant of ransomware and the use of increased affiliate cuts (80%) suggest a professionalization and expansion of Iranian state-sponsored or state-aligned disruptive operations.
## Mitigations
* **Identity Security:** Enforce Multi-Factor Authentication (MFA) across all users without exception.
* **Access Control:** Implement **Conditional Access** policies to restrict logins from unauthorized geographic regions or known Tor/VPN exit nodes.
* **Monitoring:** Regularly audit Microsoft 365 sign-in logs for high volumes of "Failure" events originating from single IPs against multiple accounts.
* **Logging:** Enable advanced audit logging (MailItemsAccessed) to investigate the scope of data exfiltration if a breach occurs.
* **Endpoint Defense:** Monitor for unauthorized use of remote access software (e.g., TeamViewer) and attempts to disable Microsoft Defender.