[{"data":1,"prerenderedAt":135},["ShallowReactive",2],{"article-slug-iranian-hackers-launch-coordinated-password-spray-attacks-on-middle-east":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":33,"sources":34,"events":41,"mitre_techniques":42,"mitre_mitigations":55,"d3fend_countermeasures":83,"iocs":98,"cyber_observables":99,"tags":116,"extract_datetime":121,"article_type":122,"impact_scope":123,"pub_date":133,"reading_time_minutes":134,"createdAt":121,"updatedAt":121},"f2af0695-671b-48cd-85fc-3494064e2a12","iranian-hackers-launch-coordinated-password-spray-attacks-on-middle-east","Iranian Hackers Launch Coordinated Password Spray Attacks on Middle East","Iranian APT Gray Sandstorm Linked to Password Spray Attacks Supporting Kinetic Operations in Middle East","The Iranian APT group Gray Sandstorm is suspected of conducting a large-scale password spray campaign against government and private sector organizations in Israel and the UAE. According to Check Point researchers, the cyberattacks, which began in early March 2026, targeted Microsoft 365 accounts and appear to be coordinated with physical military operations. The timing and targeting of municipalities responsible for damage response suggest the attacks were intended to support kinetic missile and drone strikes, likely for intelligence gathering and Bombing Damage Assessment (BDA). This campaign exemplifies the use of cyber operations in modern hybrid warfare.","## Executive Summary\nA widespread password spray campaign targeting **[Microsoft 365](https://www.microsoft.com/en-us/microsoft-365)** accounts has been attributed to an Iranian Advanced Persistent Threat (APT) group, likely **[Gray Sandstorm](https://attack.mitre.org/groups/G0124/)** (also known as SEABORGIUM/COLDIVER). According to research from **[Check Point](https://www.checkpoint.com/)**, the attacks targeted government and private sector entities in Israel and the United Arab Emirates (UAE) starting in early March 2026. The campaign's timing and choice of targets—specifically municipalities responsible for civil defense and damage response—strongly correlate with kinetic military operations (missile and drone strikes) launched by Iran. This suggests the cyberattacks were conducted as part of a hybrid warfare strategy, aimed at gathering intelligence to support and assess the impact of physical military actions.\n\n---\n\n## Threat Overview\nThe campaign employed password spraying, a brute-force technique where attackers attempt a small number of common passwords against a large number of user accounts. This \"low and slow\" method is designed to avoid triggering account lockout policies that would occur from repeated failed logins on a single account.\n\nThe primary targets were Microsoft 365 accounts belonging to organizations in Israel and the UAE. The focus on municipalities is particularly notable. These organizations are critical for emergency response and damage assessment following a physical attack. By gaining access to their email accounts and internal documents, the attackers could potentially:\n- Gather intelligence on emergency response plans.\n- Assess the effectiveness and damage of their kinetic strikes (Bombing Damage Assessment - BDA).\n- Disrupt coordination efforts of first responders.\n\nThis direct correlation between cyber operations and physical military strikes is a clear example of hybrid warfare, where cyber capabilities are used as a force multiplier for conventional military action.\n\n## Technical Analysis\nThe core TTPs of this campaign are characteristic of **Gray Sandstorm** and other similar APTs focused on credential access:\n- **[`T1110.003 - Brute Force: Password Spraying`](https://attack.mitre.org/techniques/T1110/003/):** This was the primary initial access vector used to compromise accounts at scale.\n- **[`T1078.004 - Valid Accounts: Cloud Accounts`](https://attack.mitre.org/techniques/T1078/004/):** Once a correct password was found, the attackers gained access to the legitimate Microsoft 365 cloud account.\n- **[`T1589.002 - Gather Victim Identity Information: Email Addresses`](https://attack.mitre.org/techniques/T1589/002/):** The attackers would have first needed to gather lists of valid email addresses for the target organizations to conduct the password spray attack.\n- **[`T1530 - Data from Cloud Storage Object`](https://attack.mitre.org/techniques/T1530/):** After gaining access, the attackers would collect data from sources like Exchange Online (emails) and SharePoint Online (documents).\n\n**Gray Sandstorm** has a documented history of using password spraying as its go-to technique for initial access, making the attribution by Check Point highly plausible.\n\n## Impact Assessment\nThe impact of this campaign extends beyond a typical data breach, given its connection to military operations:\n- **National Security Risk:** The intelligence gathered could provide Iran with critical insights into the civil defense and response capabilities of its adversaries, directly impacting national security.\n- **Espionage:** The attackers gain access to sensitive government communications, plans, and data.\n- **Foundation for Further Attacks:** Compromised accounts can be used to launch more targeted phishing campaigns against other government entities or to maintain persistent access for future intelligence gathering.\n- **Psychological Impact:** Coordinated cyber and physical attacks are designed to create a sense of chaos and demonstrate a sophisticated, multi-domain capability.\n\n## Detection & Response\n**Detection:**\n- **Authentication Log Analysis:** This is the most effective detection method. Ingest Microsoft Entra ID sign-in logs into a SIEM and monitor for password spray patterns. Look for a high volume of failed login attempts from a single or small group of IP addresses across many different user accounts. This is a key use case for **[D3-ANET: Authentication Event Thresholding](https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding)**.\n- **Impossible Travel Alerts:** Enable and monitor for impossible travel alerts, which trigger when a user account logs in from geographically distant locations in a short period.\n- **Anomalous Mailbox Access:** Monitor for unusual mailbox activity, such as a user account accessing the mailbox via an unfamiliar user agent or from an IP address outside of the organization's normal footprint.\n\n**Response:**\n- If a password spray attack is detected, immediately force a password reset for all affected accounts.\n- Block the source IP addresses of the attack at the firewall or through Conditional Access policies.\n- Review mailbox rules and access permissions for any compromised accounts to identify and remove any persistence mechanisms set by the attacker.\n\n## Mitigation\n- **Multi-factor Authentication ([`M1032 - Multi-factor Authentication`](https://attack.mitre.org/mitigations/M1032/)):** This is the single most effective defense against password spraying. Even if the attacker guesses the correct password, they cannot access the account without the second factor. Enforce MFA for all users.\n- **Strong Password Policies ([`M1027 - Password Policies`](https://attack.mitre.org/mitigations/M1027/)):** Implement strong password policies that prohibit the use of common or easily guessable passwords. Use a deny-list of known bad passwords.\n- **Conditional Access Policies:** Implement Microsoft Entra Conditional Access policies to block or require MFA for logins from untrusted locations or non-compliant devices. This is a form of **[D3-UGLPA: User Geolocation Logon Pattern Analysis](https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis)**.\n- **Audit and Logging ([`M1047 - Audit`](https://attack.mitre.org/mitigations/M1047/)):** Ensure that comprehensive logging is enabled for Microsoft 365 and that these logs are ingested into a SIEM for continuous monitoring and alerting.","🇮🇷 Iranian APT Gray Sandstorm linked to password spray attacks against Israel & UAE. The campaign, targeting M365 accounts, appears coordinated with kinetic military strikes to aid in damage assessment. #APT #Iran #CyberWarfare #PasswordSpray","The Iranian APT group Gray Sandstorm is suspected of conducting a large-scale password spray attack against Microsoft 365 accounts in Israel and the UAE to support kinetic military operations.",[13,14,15],"Threat Actor","Cyberattack","Phishing","high",[18,22,26,29],{"name":19,"type":20,"url":21},"Gray Sandstorm","threat_actor","https://attack.mitre.org/groups/G0124/",{"name":23,"type":24,"url":25},"Check Point","vendor","https://www.checkpoint.com/",{"name":27,"type":24,"url":28},"Microsoft","https://www.microsoft.com/security",{"name":30,"type":31,"url":32},"Microsoft 365","product","https://www.microsoft.com/en-us/microsoft-365",[],[35],{"url":36,"title":37,"date":38,"friendly_name":39,"website":40},"https://risky.biz/bulletin-apr1-2026/","Risky Bulletin: Iranian password sprays came first, then came the missiles","2026-04-01","Risky Business","risky.biz",[],[43,47,51],{"id":44,"name":45,"tactic":46},"T1110.003","Password Spraying","Credential Access",{"id":48,"name":49,"tactic":50},"T1078.004","Valid Accounts: Cloud Accounts","Defense Evasion",{"id":52,"name":53,"tactic":54},"T1589.002","Gather Victim Identity Information: Email Addresses","Reconnaissance",[56,65,74],{"id":57,"name":58,"d3fend_techniques":59,"description":63,"domain":64},"M1032","Multi-factor Authentication",[60],{"id":61,"name":58,"url":62},"D3-MFA","https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication","The most effective control to defeat password spraying. Even with a valid password, the attacker is stopped without the second factor.","enterprise",{"id":66,"name":67,"d3fend_techniques":68,"description":73,"domain":64},"M1027","Password Policies",[69],{"id":70,"name":71,"url":72},"D3-SPP","Strong Password Policy","https://d3fend.mitre.org/technique/d3f:StrongPasswordPolicy","Enforce strong password requirements and use a password filter to block common and compromised passwords.",{"id":75,"name":76,"d3fend_techniques":77,"description":82,"domain":64},"M1047","Audit",[78],{"id":79,"name":80,"url":81},"D3-DAM","Domain Account Monitoring","https://d3fend.mitre.org/technique/d3f:DomainAccountMonitoring","Continuously audit authentication logs to detect the patterns of a password spray attack.",[84,86,92],{"technique_id":61,"technique_name":58,"url":62,"recommendation":85,"mitre_mitigation_id":57},"To directly and effectively neutralize the threat from Gray Sandstorm's password spraying campaign, targeted organizations must enforce MFA for all Microsoft 365 accounts. A password spray attack's effectiveness is entirely nullified if a second factor is required for login. Even if the attacker correctly guesses a user's password, they are blocked from accessing the account. For high-value targets like government municipalities, it is crucial to use strong, phishing-resistant MFA methods such as FIDO2 security keys rather than SMS or simple push notifications. This single control is the most important defense against this TTP.",{"technique_id":87,"technique_name":88,"url":89,"recommendation":90,"mitre_mitigation_id":91},"D3-ANET","Authentication Event Thresholding","https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding","For detection, security teams must configure their SIEM to ingest Microsoft Entra ID sign-in logs and create specific rules to detect password spraying. A high-fidelity rule would be to alert when a single source IP address generates a high number of failed login attempts (e.g., >20) with the error code 50126 (InvalidCredentials) across multiple distinct user accounts (e.g., >10) within a short time frame (e.g., 5 minutes). This pattern is the classic signature of a password spray. Tuning these thresholds to your organization's baseline will provide an early warning of an attack in progress, allowing for rapid response such as blocking the source IP and forcing password resets.","M1040",{"technique_id":93,"technique_name":94,"url":95,"recommendation":96,"mitre_mitigation_id":97},"D3-UGLPA","User Geolocation Logon Pattern Analysis","https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis","Leverage Microsoft Entra Conditional Access to build policies that block or challenge authentication attempts from untrusted locations. For municipalities in Israel and the UAE, a policy could be created to block all authentication attempts originating from Iranian IP ranges. While attackers can use proxies, this provides a valuable layer of defense. More dynamically, use Entra ID's risk-based policies, which leverage Microsoft's threat intelligence to automatically detect and block logins from anomalous or suspicious locations, effectively automating the analysis of logon patterns and blocking attacks like those from Gray Sandstorm.","M1036",[],[100,105,110],{"type":101,"value":102,"description":103,"context":104,"confidence":16},"log_source","Microsoft Entra ID Sign-in logs","Analyze for a high number of failed authentications (ResultType 50126 - InvalidCredentials) across multiple accounts originating from a small set of IP addresses.","SIEM, Azure Log Analytics",{"type":106,"value":107,"description":108,"context":109,"confidence":16},"event_id","50126","The error code in Entra ID sign-in logs for 'Invalid username or password'. A spike in this error across many accounts is a key indicator of a password spray attack.","Microsoft Entra ID logs",{"type":111,"value":112,"description":113,"context":114,"confidence":115},"network_traffic_pattern","Logins from Iranian IP space","While attackers often use proxies, monitoring for a cluster of failed logins originating from Iranian IP addresses against government targets in Israel/UAE would be a strong indicator.","SIEM, Threat Intelligence Platform","medium",[117,19,118,119,30,120],"password spray","Iran","APT","hybrid warfare","2026-04-02T15:00:00.000Z","Analysis",{"geographic_scope":124,"countries_affected":125,"industries_affected":128,"other_affected":130},"regional",[126,127],"Israel","United Arab Emirates",[129],"Government",[131,132],"Municipalities","Private sector organizations","2026-04-02",6,1775141533539]