AN Iran-nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the UAE, according to Check Point. The activity, assessed to be ongoing, unfolded in three waves on 3 March, 13 March and 23 March 2026, with the campaign primarily focused on Israel and the UAE, impacting more than 300 organisations in Israel and over 25 in the UAE.
Activity associated with the same actor was also observed against targets in Europe, the United States, the United Kingdom, and Saudi Arabia, Check Point added. Password spraying—using a single common password against multiple usernames—was used to probe for weak credentials at scale, and the campaign targeted cloud environments of government entities, municipalities, technology, transportation, energy, and private-sector organisations in the region.
To counter the threat, organisations are advised to monitor sign-in logs, apply conditional access controls to restrict authentication by location, enforce MFA for all users, and enable audit logs for post-compromise investigation. The report notes that the technique has been linked to Iranian groups such as Peach Sandstorm and Gray Sandstorm in past campaigns.