A cyber operation believed to be linked to Iranian threat actors has been identified targeting Microsoft 365 environments, with a primary focus on organizations in Israel and the United Arab Emirates. The activity comes amid ongoing tensions in the Middle East and is still considered active.
According to research from Check Point, the campaign was carried out in three separate waves on March 3, March 13, and March 23, 2026. More than 300 organizations in Israel and over 25 in the U.A.E. were affected. Investigators also observed limited targeting in Europe, the United States, the United Kingdom, and Saudi Arabia.
The attackers focused on cloud-based systems used across a wide range of sectors, including government bodies, municipalities, transportation services, energy infrastructure, technology firms, and private companies. This broad targeting indicates an effort to access both public-sector systems and critical commercial operations.
The primary method used in the campaign is known as password spraying. In this technique, attackers attempt a small number of commonly used passwords across many accounts instead of repeatedly targeting a single account. This approach increases the chances of finding weak credentials while avoiding detection systems such as account lockouts or rate-limiting controls.
Security researchers noted that similar techniques have previously been associated with Iranian groups such as Peach Sandstorm and Gray Sandstorm. The current activity appears to follow a structured sequence. It begins with large-scale scanning and password attempts routed through Tor exit nodes to conceal the origin of the traffic. This is followed by login attempts, and in successful cases, the extraction of sensitive data, including email content from compromised accounts.
Analysis of Microsoft 365 logs revealed patterns consistent with earlier operations attributed to Gray Sandstorm. Investigators observed the use of red-team style tools and infrastructure, as well as commercial VPN services linked to hosting providers previously associated with Iran-linked cyber activity in the region.
To reduce risk, organizations are advised to monitor sign-in activity for unusual patterns, restrict authentication based on geographic conditions, enforce multi-factor authentication for all users, and enable detailed audit logs to support investigation in the event of a breach.
Renewed Activity from Pay2Key Ransomware Operation
In a related development, a U.S.-based healthcare organization was targeted in late February 2026 by Pay2Key, an Iran-linked ransomware group with connections to a broader threat cluster known by multiple aliases. The group operates under a ransomware-as-a-service model and was first identified in 2020.
The version used in this attack represents an upgrade from campaigns observed in July 2025, incorporating improved techniques for evasion, execution, and anti-forensic activity. Reports from Beazley Security and Halcyon indicate that no data was exfiltrated in this instance, marking a shift away from the group’s earlier double-extortion strategy.
The intrusion is believed to have begun through an unknown access point. Attackers then used legitimate remote access software such as TeamViewer to establish a foothold. From there, they harvested credentials to move laterally across the network, disabled Microsoft Defender Antivirus by falsely indicating that another antivirus solution was active, and interfered with system recovery processes. The attackers then deployed ransomware, issued a ransom note, and cleared logs to conceal their activity.
Notably, logs were deleted at the end of the attack rather than at the beginning, ensuring that even the ransomware’s own actions were removed, making forensic
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: