An Iran‑nexus threat actor is suspected of running a three‑wave password‑spraying campaign in March 2026 against Microsoft 365 cloud environments in Israel and the U.A.E., impacting more than 300 organizations in Israel and over 25 in the U.A.E., with limited targeting observed in Europe, the U.S., the U.K., and Saudi Arabia. Separately, the Pay2Key ransomware group resurfaced against a U.S. healthcare organization using upgraded Windows and Linux variants and tactics including remote‑access footholds, credential harvesting, log clearing, and improved evasion; organizations are urged to enforce MFA, monitor sign‑in logs, apply conditional access, and enable audit logging. #GraySandstorm #Pay2Key
Keypoints
- Three password‑spraying waves occurred on March 3, March 13, and March 23, 2026, targeting Microsoft 365 tenants.
- The campaign primarily affected more than 300 organizations in Israel and over 25 in the U.A.E., with additional limited targets worldwide.
- Attackers used Tor exit nodes, commercial VPN nodes (AS35758), and red‑team tools to scan, log in, and exfiltrate mailbox data.
- Pay2Key returned with upgraded evasion and a Linux variant, leveraging remote access tools, credential harvesting, and log tampering.
- Recommended defenses include enforcing MFA, monitoring sign‑in logs, applying conditional access by geography, and enabling audit logs for investigations.
Read More: https://thehackernews.com/2026/04/iran-linked-password-spraying-campaign.html