Hackers linked with Iran launched a password spray attack in three waves on Microsoft 365 in March 2026 targeting 325+ organizations in Israel and the UAE. Check Point Research believes this wasn’t just a cyber attack but a full-fledged military intelligence operation that ran concurrently with the missile strikes.
Not Just a Hack But a Strategic Attack
The month of March 2026 was very turbulent for the Middle East. On one hand, geopolitical tensions between Iran and Israel were at their peak, and missile strikes were becoming a daily occurrence.On the other hand and there was a war going on in the digital world that very few people knew about Israel and the UAE.
Hackers tried to hack into the Microsoft 365 accounts of over 300 businesses. But this was not just a ploy of a single hacker. Check Point Research deeply analyzed this campaign, and the results that emerged shocked the world of cybersecurity.
The attack was an organized, multi-wave and state-sponsored operation whose aim was not just to steal data but to digitally support the ongoing war. Along with the missile strikes and the urban area of those cities were also cyber targeted. This correlation was so strong that researchers were convinced this was no coincidenceit was a deliberate and integrated operation.
What Is Password Spraying And Why Is It So Dangerous?
When people hear the word Hacking they often think of a complex software exploit, but thats not what happened in this campaign. This threat actor and linked to Iran are used a very simple yet highly effective technique like Password Spraying.
In this technique hackers try a common password like Password123 or Welcome2024 on thousands of different accounts one by one. This is completely different from a brute-force attack and where an account is hit repeatedly.Password spraying involves only trying one or two attempts on an account so account lock out and systems are not triggered.
The success of this technique depends on the fact that in any large organization because there are always some people with weak passwords. An employee using a password like Company@123 opens the digital door to the entire organization. And when that door opens its not just emails inside a single Microsoft 365 account contains the entire organizations documents, meetings, collaborative files and admin tools. A weak password can bring down an entire organization.
Three Phases One Goal A Planned Operation
According to Check Point Research, this campaign came in three distinct waves on March 3, March 13 and March 23, 2026. The timing of each wave was precise which indicates a planned operation rather than a random attack. The first wave came on March 3 when hackers started scanning, i.e. common passwords were tried on Microsoft 365 accounts of thousands of organizations.
Tor exit nodes were used in this phase so that the IP addresses changed every time and traditional security systems could not detect anything. Also the hackers set their browser identifier (user-agent) in such a way that the traffic appeared to be normal Internet Explorer 10 which is a 2012 browser. This is a very clever technique because modern security tools mostly track naive browsers.
The tactics became more refined in the second and third waves. Once valid credentials were obtained in the first round, the hackers moved on to the infiltration phase. In this, they used commercial VPN services like Windscribe and NordVPN and specifically selected VPN servers physically located in Israel.
This way their login requests appeared to be coming from Israel, which also bypassed geo-fencing (location based access control). Then in the final phase exfiltration and they accessed emails, documents, and cloud data from compromised accounts without dropping any loud malware.
Why Municipalities Became Targets Insights from Missile Maps
The most surprising aspect of this campaign is that Israeli municipalities or local government bodies were the first targets. Not just technology or financial companies, but the cities local administrations were specifically targeted. Why? Check Point researchers discovered a strange correlation the Microsoft 365 account of the municipality of the city that was hit by Iran’s missile attack was also targeted in the password spray campaign.
Municipalities are the focus of emergency response. After missile attacks, damage assessment, medical emergency coordination, and infrastructure repair all happen through this. If hackers penetrate these systems and they can learn in real-time how much damage a missile caused which areas were impacted and where the response teams are.
This is gold for military intelligence. Therefore researchers have declared this campaign part of the Bomb Damage Assessment (BDA) intelligence operation. This is a brilliant example of hybrid warfare where the digital attacks directly support kinetic military operations.
Inside Iran Cyber Forces Gray Sandstorm and Peach Sandstorm
Check Point Research blames Iran with moderate confidence and specifically points to two known Iran-linked hacking groups Gray Sandstorm and Peach Sandstorm. Both are associated with the IRGC (Islamic Revolutionary Guard Corps).
According to the Microsoft Security Blog, and Peach Sandstorm also known as APT33, Elfi and Refined Kitten, has been using password spray campaigns since 2023 and targeting the defense, satellite, energy and healthcare sectors. This group not only steals data but also maintains long term access so it can retrieve information at any time when needed.
Gray Sandstorm is the one that most closely matches this new 2026 campaign. Analysis of M365 login logs shows that the use of Tor exit nodes and the use of red-team tools were similar to those seen in Gray Sandstorms past operations. Both groups are aligned with Iranian state interests and have a single objective to penetrate inhabit and if necessary inflict damage on their enemies systems.
The Full Scope From Password Sprays to Cyber Warfare
This campaign is not isolated it is part of a much larger picture. At the same time, another Iran-linked group hacked FBI Director Kash Patels personal email and leaked his resume and photos. This group called Handala Hack is linked to Irans intelligence agency.
Additionally an Iranian ransomware gang called Pay2Key targeted a U.S. healthcare organization in February 2026. This ransomware doesn’t just demand money it blurs the line between criminal extortion and state-sponsored to hurt or damage.
In March 2026, Halcyon revealed that pro-Iranian operatives were being directed to a new ransomware called Baqiyat 313 Locker (BQTLock) which has been targeting the UAE, US and Israel since July 2025. This entire scenario creates a cyber eco system that digitally supports Irans geopolitical objectives and is becoming more organized and dangerous by the day.
Is Only the Middle East at Risk?
No and this is particularly concerning. The campaign was primarily focused on Israel and the UAE but limited activity was also seen in the United States, United Kingdom, Saudi Arabia and broader Europe. This broad geographic footprint suggests it was either broader intelligence gathering or reconnaissance for future attacks. Any global organization that uses Microsoft 365 whether in the Middle East or not is not safe from this type of attack if their employees are using weak passwords or don’t have MFA enabled.
Securing the Future Cybersecurity Beyond IT Teams
The biggest lesson from this campaign is that an organizations weakest link isn’t its technology but its human elementan employee using a password like Company@2024. Check Point ResearchThe Hacker News and The Register all emphasized the same thing Multi-Factor Authentication (MFA) is the one thing that could have stopped this entire campaign by 90 percent. Even if an attackers password spray is successful MFA blocks that validation because the hacker doesn’t have the second factor the phone or authentication app.
Additionally the organizations should monitor sign-in logs to detect failed attempts from the same IP address on multiple accounts. Block Tor exit nodes and VPN ranges. Implement geo fencing to flag logins from unusual countries. Strict password policies and mandatory MFA must be enforced for every users and especially admin accounts. Cybersecurity is no longer just an IT department issue its an organizational priority that should spread from leadership to every employee.
In Conclusion When Cyberwar Escalates to Reality
Iran Microsoft 365 password spray campaign wasn’t just a cybersecurity incident its evidence of a new era of warfare. While missiles are flying and hackers gather digital intelligence in parallel. When a city is hit by a missile and the emails of that citys municipality are being deleted at the same time. This is the face of hybrid warfare that we don’t often see on screens, but which is equally dangerous.
This campaign also proved that in todays world and you don’t need a zero-day exploit or expensive malware to launch an advanced attack a common password and a patient threat actor are enough. And if were organizations that rely on Microsoft 365 we should lock our digital doors with the same diligence we lock our physical doors. Because the next attack could happen in your city without you even knowing it.
