An Iran-nexus threat actor is currently suspected of orchestrating a widespread password-spraying campaign meticulously targeting Microsoft 365 environments across critical sectors in Israel and the United Arab Emirates. This concerted cyber offensive unfolds against a backdrop of heightened geopolitical tensions and ongoing conflict in the Middle East, signaling a significant escalation in state-sponsored digital aggression. The activity, which cybersecurity firm Check Point assesses to be ongoing, has manifested in three distinct and aggressive attack waves, occurring on March 3, March 13, and March 23, 2026. This sustained assault has already impacted over 300 organizations in Israel and more than 25 entities in the U.A.E., with limited but notable incursions also observed against targets in Europe, the United States, the United Kingdom, and Saudi Arabia, underscoring the broad reach and strategic intent behind these operations.
The Password Spraying Offensive: A Deep Dive into Tactics and Targets
The core of this sophisticated campaign revolves around password spraying, a technique recognized for its efficiency in circumventing common security defenses. Unlike traditional brute-force attacks that attempt numerous passwords against a single account, password spraying involves systematically trying a single, frequently used password across a multitude of usernames on the same application. This method significantly reduces the likelihood of triggering account lockout policies or rate-limiting defenses, allowing threat actors to methodically discover weak credentials at scale. The targets of this particular campaign are strategically vital, encompassing cloud environments belonging to government entities, municipalities, technology firms, transportation networks, energy sector organizations, and various private-sector companies within the targeted regions. The selection of these sectors indicates a clear intent to compromise critical infrastructure, extract sensitive government data, or disrupt essential services, reflecting the broader objectives often associated with state-sponsored cyber operations.
Check Point, a leading Israeli cybersecurity company, has explicitly linked the techniques employed in this campaign to known Iranian hacking groups. Specifically, the modus operandi bears strong resemblances to the tactics, techniques, and procedures (TTPs) previously adopted by notorious groups such as Peach Sandstorm and Gray Sandstorm, the latter formerly identified as DEV-0343. These groups have a documented history of employing similar methods to infiltrate target networks, gain initial access, and establish persistent footholds for further malicious activities. The consistent use of these specific TTPs provides a compelling basis for attributing the current password-spraying offensive to an Iran-nexus actor, suggesting a coordinated and state-aligned cyber strategy.
The campaign unfolds in a meticulously planned three-phase lifecycle. It commences with aggressive scanning and password spraying, primarily conducted from anonymizing Tor exit nodes. The utilization of Tor, a free and open-source software for enabling anonymous communication, allows the attackers to obscure their true geographical origin, making attribution and defensive blocking significantly more challenging for network defenders. Following successful credential compromise, the second phase involves executing the login process, confirming access to the targeted Microsoft 365 environments. The final, and arguably most critical, phase entails the exfiltration of sensitive data, with a particular focus on extracting mailbox content. This data could include confidential communications, strategic documents, financial records, and personal identifiable information, all of which could be leveraged for espionage, sabotage, or future cyberattacks.
Further technical analysis of Microsoft 365 logs reveals striking similarities to previous Gray Sandstorm operations. These similarities extend to the specific red-team tools employed by the threat actor to conduct attacks via Tor exit nodes. Moreover, the attackers have been observed utilizing commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), a detail that aligns with recent activity patterns tied to Iran-nexus operations in the Middle East. This strategic combination of Tor for initial anonymity and commercial VPNs for broader operational obfuscation demonstrates a sophisticated understanding of network security and an advanced capability to evade detection and trace-back efforts.
Countermeasures and Defensive Strategies
In response to this escalating threat, cybersecurity experts and governmental bodies are strongly advising organizations to bolster their defensive postures. Key recommendations include:
- Vigilant Monitoring of Sign-in Logs: Organizations must implement continuous and rigorous monitoring of sign-in logs within their Microsoft 365 environments to detect any anomalous or suspicious login attempts indicative of password spraying.
- Application of Conditional Access Controls: Implementing conditional access policies can significantly limit authentication attempts to approved geographic locations, thereby mitigating risks from attackers operating outside legitimate operational zones.
- Enforcement of Multi-Factor Authentication (MFA): MFA remains one of the most effective deterrents against credential theft. Mandating MFA for all users, especially those with privileged access, adds a crucial layer of security, requiring a second form of verification beyond just a password.
- Enabling Comprehensive Audit Logs: Maintaining detailed audit logs is essential for post-compromise investigation, allowing security teams to reconstruct attack timelines, identify compromised accounts, and understand the scope of any data breaches.
- Employee Awareness Training: Regular training for employees on phishing, social engineering, and the importance of strong, unique passwords can significantly reduce the attack surface.
Resurgence of Iranian Ransomware: Pay2Key’s Evolved Threat
The escalating password-spraying campaign is not an isolated incident but rather part of a broader, diversified cyber offensive linked to Iran. Concurrent with these activities, the Iranian ransomware gang Pay2Key, known for its ties to the country’s government, has reportedly revived its operations. In late February 2026, a U.S. healthcare organization fell victim to a Pay2Key attack, marking a significant resurgence for a group that first emerged in 2020 with connections to the notorious Fox Kitten group.
The variant of Pay2Key ransomware deployed in this recent attack represents a notable upgrade from prior campaigns observed as recently as July 2025. This evolved version incorporates improved evasion, execution, and anti-forensics techniques, making it more resilient to detection and analysis by security professionals. Intriguingly, reports from Beazley Security and Halcyon indicate that no data was exfiltrated during the healthcare attack, a significant departure from the group’s established double extortion playbook, which typically involves both encrypting data and threatening to leak it if a ransom is not paid. This shift could suggest a change in tactical objectives, perhaps prioritizing disruption and sabotage over financial gain, or a desire to avoid the additional complexity and detection risk associated with large-scale data exfiltration.
The attack against the U.S. healthcare organization followed a multi-stage methodology. While the initial access route remains undetermined, threat actors leveraged a legitimate remote access tool, such as TeamViewer, to establish a covert foothold within the target network. From this initial point, they meticulously harvested credentials for lateral movement, expanding their access across the network. A critical step involved disarming Microsoft Defender Antivirus by deceptively signaling that a third-party antivirus product was active, thereby bypassing crucial endpoint protection. Subsequently, the attackers inhibited recovery mechanisms, deployed the ransomware, dropped a ransom note, and then systematically cleared logs to erase their digital footprints, making forensic investigation exceedingly difficult. Halcyon researchers noted, "By clearing logs at the end of execution rather than the beginning, the actors ensure that even the ransomware’s own activity is wiped, not just whatever preceded it." This tactic highlights a sophisticated understanding of incident response and forensic analysis.
Following its return last year, the Pay2Key group also made strategic changes to its ransomware-as-a-service (RaaS) model. Affiliates are now offered an enhanced 80% cut of ransom proceeds, a significant increase from the previous 70%, specifically for participating in attacks targeting Iran’s perceived enemies. This financial incentive structure underscores the political motivations underpinning Pay2Key’s operations, effectively leveraging criminal enterprise to advance state-aligned objectives. A month after these changes, a Linux variant of the Pay2Key ransomware was detected in the wild, further demonstrating the group’s commitment to expanding its attack capabilities across different operating systems. Morphisec researcher Ilia Kulmin, in a report published last month, detailed the Linux variant’s sophistication: "The sample is configuration-driven, requires root-level privileges to execute, and is engineered to traverse broad file system scope, classify mounts, and encrypt data using ChaCha20 in full or partial modes." He added, "Before encryption, it weakens defenses and removes friction by stopping services, killing processes, disabling SELinux and AppArmor, and installing a reboot-time cron entry. This lets the encryptor run faster and survive restarts." This advanced functionality indicates a concerted effort to maximize disruption and minimize recovery options for victims.
The Expanding Ransomware Landscape: Sicarii and BQTLock
The Iranian-linked cyber threat landscape is further complicated by the emergence and strategic promotion of other ransomware variants. In March 2026, Halcyon revealed a significant development: Uke, the administrator of the Sicarii ransomware, openly urged pro-Iranian operators to adopt Baqiyat 313 Locker, also known as BQTlock. This directive came in response to an influx of affiliate requests, suggesting a growing ecosystem of actors willing to participate in politically motivated cyberattacks. BQTLock, operating with explicit pro-Palestinian motives, has been actively targeting organizations in the U.A.E., the U.S., and Israel since July 2025. This proliferation of ransomware groups with ideological underpinnings, often operating under the patronage or strategic guidance of state actors, highlights a dangerous trend where cybercriminal tactics are increasingly co-opted for geopolitical ends.
Geopolitical Backdrop and Blurring Lines
Iran has a well-documented history of leveraging cyber operations as a tool for geopolitical leverage, retaliation against perceived political slights, and the projection of power within the Middle East and beyond. The "ongoing conflict" referenced by Check Point serves as a crucial context for these cyber offensives. The region is characterized by deep-seated rivalries and proxy conflicts, with cyber warfare emerging as a cost-effective and deniable means for state actors to achieve strategic objectives without direct military confrontation.
Cybersecurity companies consistently emphasize that ransomware is no longer solely a tool for financial extortion but is increasingly integrated into these broader state-sponsored operations. Halcyon’s analysis succinctly captures this convergence: "Ransomware is increasingly incorporated into these operations, with ransomware campaigns that blur the line between criminal extortion and state-sponsored sabotage." This blurring of lines poses significant challenges for international law, attribution, and the development of effective deterrence strategies, as it becomes harder to distinguish between purely criminal enterprises and state-aligned proxies. The strategic targeting of critical infrastructure, government entities, and key economic sectors in rival nations underscores the intent to destabilize, gather intelligence, and exert influence.
The relentless nature of these campaigns, coupled with the evolving sophistication of the tools and techniques employed, signifies an ongoing and intensifying cyber conflict. Organizations globally, and particularly those in geopolitically sensitive regions, must recognize that the cyber threat landscape is dynamic and requires continuous adaptation and investment in robust security measures. The imperative to monitor, defend, and respond effectively to these evolving threats has never been greater, as the digital battleground continues to shape real-world geopolitical realities.