Check Point Research tracked an Iran-linked, three-stage password-spraying campaign against Microsoft 365 tenants that peaked on March 3, 13, and 23, 2026 and primarily targeted municipalities in Israel and the UAE. Attackers scanned via rotating Tor exit nodes, used Windscribe and NordVPN endpoints geolocated in Israel to bypass geo-fencing, and leveraged valid logins to access and exfiltrate municipal emails, a pattern CPR assesses is linked to Gray Sandstorm. #GraySandstorm #Microsoft365
Keypoints
- An Iran-linked threat actor conducted coordinated password-spraying attacks against Microsoft 365 with three peak waves in March 2026.
- Municipalities were primary targets, suggesting the campaign supported missile operations and bombing damage assessment.
- Attackers used rotating Tor exit nodes for scanning and Windscribe/NordVPN endpoints geolocated in Israel to evade geo-fencing.
- More than 300 organizations in Israel and 25+ in the UAE were impacted, including tech (63), transportation (32), and healthcare (28) sectors.
- Key defenses include tenant-wide MFA, conditional access to block Tor and unapproved geolocations, and monitoring for anomalous multi-account sign-in failures.
Read More: https://securityonline.info/iran-password-spraying-israel-uae-municipal-cyber-attack/