As conflict continues in the Middle East, Iranian-linked attackers are suspected to be behind a password dissemination campaign targeting Microsoft 365 environments in Israel and the United Arab Emirates.
According to Check Point, this activity is assessed as ongoing and carried out in three separate attack waves that occurred on March 3, 2026, March 13, and March 23, 2026.
“This campaign is primarily focused on Israel and the UAE, impacting over 300 organizations in Israel and over 25 organizations in the UAE,” the Israeli cybersecurity firm said. “Activity related to the same actor was also observed against a limited number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia.”
The campaign is assessed to target cloud environments of government agencies, local governments, organizations in the technology, transportation, and energy sectors, and private companies in the region.
Password spraying is a type of brute force attack in which a threat actor attempts to use a single common password for multiple usernames on the same application. It is also considered a more effective way to detect weak credentials at scale without invoking rate limiting defenses.
Check Point said this technique has been known to be used in the past by Iranian hacker groups such as Peach Sandstorm and Gray Sandstorm (formerly known as DEV-0343) to infiltrate targeted networks.
The campaign will basically unfold in three phases. An aggressive scan or password spray performed from a Tor exit node, followed by execution of a login process and extraction of sensitive data such as mailbox contents.
“Analysis of M365 logs suggests similarities to Gray Sandstorm, including the use of Red Team tools to execute these attacks via Tor exit nodes,” Check Point said. “The attackers used a commercial VPN node hosted on AS35758 (Rachamim Aviel Twito), which is consistent with recent activity related to Iranian-linked activity in the Middle East.”
To combat this threat, organizations are encouraged to monitor sign-in logs for signs of password spraying, apply conditional access controls to limit authentication to approved geographic locations, enforce multi-factor authentication (MFA) for all users, and enable audit logging for post-breach investigations.
Iran revives Pay2Key business
The disclosure comes after U.S. healthcare institutions were targeted in late February 2026 by Pay2Key, an Iranian ransomware group with ties to the country’s government. Ransomware-as-a-Service (RaaS) operations associated with the Fox Kitten group first emerged in 2020.
The variant introduced in this attack is an upgrade from a previous campaign observed in July 2025, using improved evasion, execution, and anti-forensic techniques to achieve its objectives. Beazley Security and Halcyon said no data was compromised during the attack, a change from the group’s dual extortion scheme.
The attack allegedly leveraged unidentified access routes to infiltrate organizations, use legitimate remote access tools such as TeamViewer to establish a foothold, collect credentials for lateral movement, disable Microsoft Defender Antivirus by falsely reporting third-party antivirus products were active, prevent recovery, deploy ransomware, drop ransom notes, and wipe logs to cover their tracks.
“By clearing the logs at the end of execution rather than at the beginning, attackers ensure that they erase not only the pre-ransomware activity, but even the ransomware’s own activity,” Halcyon said.
Among the key changes the group enacted after its return last year was offering affiliates a 70% to 80% reduction in ransom proceeds if they participate in attacks targeting Iran’s enemies. A month later, a Linux variant of Pay2Key ransomware was detected in the wild.
“The samples are configuration-driven, require root-level privileges to run, and are designed to traverse a wide range of file systems, classify mounts, and encrypt data using ChaCha20 in full or partial mode,” Morphisec researcher Ilia Kulmin said in a report published last month.
“Before encryption, we weaken defenses and remove friction by stopping services, killing processes, disabling SELinux and AppArmor, and installing reboot cron entries. This allows encryption programs to run faster and survive reboots.”
In March 2026, Halcyon also revealed that Uke, the custodian of Sicarii ransomware, had urged pro-Iranian operators to use Baqiyat 313 Locker (also known as BQTlock) due to an influx of affiliate requests. BQTLock, which operates with pro-Palestinian motives, has been targeting the UAE, the United States, and Israel since July 2025.
“Iran has a long track record of using cyber operations to retaliate against perceived political slights,” the cybersecurity firm said. “Ransomware is increasingly integrated into these activities, and ransomware campaigns are blurring the line between criminal extortion and state-sponsored sabotage.”
Source link
