Iran-Linked Password Spraying Campaign Targets Municipalities During Missile Strikes: Microsoft 365 Breach Analysis
A sophisticated cyber campaign attributed to an Iran-linked threat actor has exposed critical vulnerabilities in municipal cloud infrastructure, coinciding with heightened geopolitical tensions in the Middle East. According to Check Point Research (CPR), attackers executed a coordinated password-spraying operation targeting Microsoft 365 tenants, with activity peaks observed on March 3, March 13, and March 23, 2026.
Overview of the Attack Campaign
The campaign primarily targeted municipal entities in Israel and the United Arab Emirates (UAE), suggesting a strategic focus on public sector infrastructure during periods of military escalation. CPR has linked this activity to an Iranian threat cluster believed to be associated with Gray Sandstorm, a group known for cyber-espionage and disruption campaigns.
The attackers employed a three-stage password spraying methodology, enabling them to bypass traditional authentication defenses and gain unauthorized access to sensitive systems.
Key Statistics and Findings
- Attack peaks recorded on March 3, 13, and 23, 2026
- Targeted entities: Municipal governments in Israel and UAE
- Primary attack vector: Microsoft 365 account compromise
- Infrastructure used: Tor exit nodes, Windscribe VPN, NordVPN
- Objective: Email exfiltration and intelligence gathering
How the Password Spraying Attack Worked
Password spraying is a brute-force technique where attackers attempt a small number of commonly used passwords across a large number of accounts. This method avoids account lockouts while maximizing success rates.
In this campaign, attackers:
- Enumerated user accounts across municipal Microsoft 365 tenants
- Tested weak or commonly reused passwords (e.g., seasonal or default passwords)
- Leveraged successful logins to establish persistence and escalate access
Advanced Evasion Techniques
One of the most notable aspects of this campaign was its sophisticated evasion strategy:
- Tor Network Usage: Attackers rotated traffic through multiple Tor exit nodes to obfuscate origin
- Geo-Fencing Bypass: VPN endpoints from Windscribe and NordVPN were configured to appear as Israeli IP addresses
- Low-and-Slow Approach: Login attempts were spaced out to avoid triggering detection thresholds
This combination enabled attackers to blend in with legitimate traffic and evade security monitoring systems.
Exploitation of Microsoft 365 Environments
Once valid credentials were obtained, attackers accessed:
- Municipal email accounts
- Internal communications and attachments
- Potentially sensitive operational data related to emergency response
CPR notes that the timing of the attacks aligns with missile strike events, indicating a possible intent to gather real-time intelligence or disrupt municipal response coordination.
Attribution to Gray Sandstorm
The tactics, infrastructure, and targeting patterns observed in this campaign closely resemble previous operations attributed to Gray Sandstorm, an Iranian-linked advanced persistent threat (APT) group. Known for targeting government and critical infrastructure, the group has historically leveraged credential-based attacks to infiltrate cloud environments.
Implications for Municipal Cybersecurity
This campaign highlights critical gaps in municipal cybersecurity posture, particularly in cloud identity protection. Key risks include:
- Weak password policies and lack of multi-factor authentication (MFA)
- Insufficient monitoring of login anomalies
- Overreliance on geo-based access controls
Municipal systems, often under-resourced in cybersecurity, present attractive targets for nation-state actors seeking intelligence during geopolitical crises.
Recommended Mitigation Strategies
- Enforce Multi-Factor Authentication (MFA) across all accounts
- Implement conditional access policies beyond geo-location
- Deploy identity threat detection and response (ITDR) solutions
- Monitor for unusual login patterns and VPN usage
- Conduct regular password hygiene audits
NeuraCyb's Assessment
The Iran-linked password spraying campaign underscores the evolving nature of cyber warfare, where digital intrusions are increasingly synchronized with physical conflicts. As municipalities become frontline targets in hybrid warfare, strengthening cloud security and identity management is no longer optional, it is a necessity.
Reference Links and Sources
