An advanced cyber campaign targeted the cloud environments of over 300 organizations in Israel, the UAE, and other regions. Attackers systematically guessed passwords across many accounts to break into Microsoft 365 systems and steal sensitive information.

Who was behind the attack?

Security researchers assess with moderate confidence that the attackers are an Iran-linked threat group. Their methods and use of specific tools closely resemble those of known advanced Iranian cyber actors, specifically the group tracked as "Gray Sandstorm."

What was the nature and goals of the attack?

The primary goal was to steal valid login credentials to infiltrate systems and read personal emails. Researchers believe this data gathering was intended to assess physical damage and support physical missile strikes that were happening concurrently in the region.

What is the scope or scale of the targeting?

The campaign was widespread and intense, striking in three distinct waves during March. It heavily impacted over 300 organizations in Israel and more than 25 in the United Arab Emirates, with a smaller number of targets located in Europe, the US, the UK, and Saudi Arabia.

Were specific industries or people targeted?

Yes, the attackers heavily focused on local municipalities, alongside the energy sector, private companies, aviation, maritime, and satellite organizations. Municipalities were likely prioritized due to their critical role in managing emergency responses to physical missile damage.

How was the attack carried out from a high-level perspective?

The attackers used automated tools to guess common passwords across hundreds of accounts while hiding their network traffic through anonymity services. Once they guessed a correct password, they used virtual private networks (VPNs) to make it appear as though they were logging in locally, allowing them to bypass security blocks and quietly steal email data.

Why might the targeted entities be attractive to attackers?

Organizations like local governments and energy providers hold critical infrastructure data and sensitive internal communications. During a physical conflict, accessing these systems provides attackers with highly valuable intelligence on emergency responses, infrastructure status, and municipal communications.

Is this a widespread issue or a targeted one?

While the password-guessing technique itself is a broad approach, the campaign's focus was highly targeted both geographically and sectorally. It specifically zeroed in on Middle Eastern municipal and critical infrastructure sectors to align with kinetic conflict objectives.

What actions should organizations or individuals take to protect themselves?

Organizations should enforce strong, unique passwords to prevent attackers from easily guessing them. Additionally, setting up multi-factor authentication (MFA) for all cloud accounts and monitoring for suspicious logins from anonymous networks or commercial VPNs will significantly reduce the risk of a successful breach.

Threats Feed|Gray Sandstorm|Last Updated 10/04/2026|AuthorCertfa Radar|Publish Date31/03/2026

Iran-Linked Threat Actor Targets Middle East Cloud Environments with Password Spraying

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Brute-force
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

An Iran-nexus threat actor conducted a sophisticated Microsoft 365 password-spraying campaign across three waves in March, primarily focusing on Israel and the UAE. Utilizing red-team tools and Tor exit nodes masquerading as Internet Explorer 10, the attackers circumvented atomic indicators to compromise weak credentials. Once successful, the actor bypassed geo-restrictions using Israeli-geolocated commercial VPNs to seamlessly log in and exfiltrate sensitive personal email data. The campaign heavily targeted local municipalities—assessed as likely supporting kinetic operations and bomb damage assessments—alongside the government, energy, aviation, maritime, and satellite sectors. Limited targeting was also observed in the US, UK, Europe, and Saudi Arabia.

Reference and Credit: Check Point - March 2026

Iran-nexus Password Spray Campaign Targeting Cloud Environments, with a Focus on the Middle East

Detected Targets

Type	Description	Confidence
Sector	Banking	Verified
Sector	Financial	Verified
Sector	Government Agencies and Services	Verified
Sector	Information Technology	Verified
Sector	Insurance	Verified
Sector	Logistics	Verified
Sector	Manufacturing	Verified
Sector	Medical	Verified
Sector	Professional Service	Verified
Sector	Retail	Verified
Sector	Aerospace	Verified
Sector	Education	Verified
Sector	Energy	Verified
Sector	Healthcare	Verified
Sector	Scientific Research	Verified
Sector	Transportation	Verified
Region	Israel	Verified
Region	Saudi Arabia	Verified
Region	United Arab Emirates	Verified
Region	United Kingdom	Verified
Region	United States	Verified
Region	European Countries	Verified

Extracted IOCs

169[.]150.227.143
169[.]150.227.146
169[.]150.227.3
185[.]191.204.202
185[.]191.204.203

download

Tip: 5 related IOCs (5 IP, 0 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.

FAQs

Middle East Cloud Password Spraying Campaign

: An advanced cyber campaign targeted the cloud environments of over 300 organizations in Israel, the UAE, and other regions. Attackers systematically guessed passwords across many accounts to break into Microsoft 365 systems and steal sensitive information.
: Security researchers assess with moderate confidence that the attackers are an Iran-linked threat group. Their methods and use of specific tools closely resemble those of known advanced Iranian cyber actors, specifically the group tracked as "Gray Sandstorm."
: The primary goal was to steal valid login credentials to infiltrate systems and read personal emails. Researchers believe this data gathering was intended to assess physical damage and support physical missile strikes that were happening concurrently in the region.
: The campaign was widespread and intense, striking in three distinct waves during March. It heavily impacted over 300 organizations in Israel and more than 25 in the United Arab Emirates, with a smaller number of targets located in Europe, the US, the UK, and Saudi Arabia.
: Yes, the attackers heavily focused on local municipalities, alongside the energy sector, private companies, aviation, maritime, and satellite organizations. Municipalities were likely prioritized due to their critical role in managing emergency responses to physical missile damage.
: The attackers used automated tools to guess common passwords across hundreds of accounts while hiding their network traffic through anonymity services. Once they guessed a correct password, they used virtual private networks (VPNs) to make it appear as though they were logging in locally, allowing them to bypass security blocks and quietly steal email data.
: Organizations like local governments and energy providers hold critical infrastructure data and sensitive internal communications. During a physical conflict, accessing these systems provides attackers with highly valuable intelligence on emergency responses, infrastructure status, and municipal communications.
: While the password-guessing technique itself is a broad approach, the campaign's focus was highly targeted both geographically and sectorally. It specifically zeroed in on Middle Eastern municipal and critical infrastructure sectors to align with kinetic conflict objectives.
: Organizations should enforce strong, unique passwords to prevent attackers from easily guessing them. Additionally, setting up multi-factor authentication (MFA) for all cloud accounts and monitoring for suspicious logins from anonymous networks or commercial VPNs will significantly reduce the risk of a successful breach.

About Affiliation

Gray Sandstorm