Iran cyber campaign probes Gulf cloud defences

Iran-linked hackers mounted a coordinated password-spraying operation against Microsoft 365 tenants across the Middle East in March, with Israel and the United Arab Emirates emerging as the main targets in a campaign that cyber researchers say shows how regional conflict is increasingly being mirrored in the cloud. Check Point Research said the activity came in three waves on March 3, March 13 and March 23, hitting more than 300 organisations in Israel and over 25 in the UAE, while smaller numbers of targets were also seen in Saudi Arabia, Britain, Europe and the United States.

The campaign centred on password spraying, a method in which attackers try a small set of common or weak passwords across many accounts rather than hammering one account repeatedly. That approach reduces the chance of lockouts while increasing the odds that at least one employee has reused a weak credential. Check Point said the actor rotated through multiple source IP addresses, making simple IP-based blocking less effective and adding to the difficulty of rapid detection across large Microsoft 365 estates.

Researchers said municipalities were a notable focus, particularly in Israel, alongside government bodies, energy operators and private-sector organisations. Check Point drew attention to an apparent overlap between some of the targeted municipalities and cities struck by Iranian missile attacks during March, leading it to assess that the intrusions may have been intended to support kinetic operations and battle-damage assessment. That judgment remains an analytical assessment rather than proof of direct operational tasking, but it underlines how cyber espionage is being read alongside events on the ground in a Middle East conflict that has sharply intensified.

The broader pattern is not new. Microsoft has for several years tracked Iran-linked actors using password-spray tactics against cloud email environments, transport-linked businesses and defence-related targets. In 2021, Microsoft said an Iran-linked cluster it called DEV-0343 had conducted extensive password spraying against more than 250 Office 365 tenants, including Israeli-linked defence technology companies and Persian Gulf transport and port organisations. The company said at the time that accounts protected by multifactor authentication were resilient against such attacks.

Microsoft’s more recent threat reporting shows the technique has remained embedded in the tradecraft of Iranian operators. In an August 2024 report, Microsoft said Peach Sandstorm, which it assesses operates on behalf of the Islamic Revolutionary Guard Corps, continued using password-spray attacks as an initial-access method and then moved to commercial VPN infrastructure after validating credentials. Microsoft said it had observed the actor targeting thousands of organisations and described password spraying as a recurring access vector in Iranian intelligence-gathering operations.

That continuity matters because it suggests the March 2026 campaign was not an isolated burst of hacktivist noise, but part of a longer and more disciplined ecosystem of state-aligned intrusion activity. Check Point said the latest operation primarily targeted cloud environments in Israel and the UAE, two countries that have remained strategically important to Tehran’s intelligence collection and regional power calculations. Microsoft’s Digital Defense Report for 2025 also identified Israel as the geography most frequently targeted by Iranian threat actors, with the UAE ranking among the top regional targets, reinforcing the wider pattern behind the latest wave of activity.

For organisations running Microsoft 365, the episode is another reminder that identity has become the frontline. Password spraying does not rely on sophisticated malware at the outset; it exploits weak passwords, incomplete identity hygiene and gaps in authentication policy. Security guidance from Microsoft’s threat reporting points in a familiar direction: enforce multifactor authentication, disable legacy authentication where possible, monitor unusual sign-in patterns, and pay close attention to logins that appear to come through commercial VPN services after failed password attempts. Those controls are hardly novel, yet the persistence of these campaigns suggests implementation remains uneven across public bodies and companies operating in high-risk regions.