An Iranian-aligned cyber group is suspected of launching a password-spraying assault on Microsoft 365 systems in Israel and the United Arab Emirates amid ongoing regional tensions. This campaign, identified by Check Point, has been orchestrated over three attack phases on March 3, March 13, and March 23, 2026.
Impact on Organizations
Over 300 Israeli organizations and more than 25 in the U.A.E. have been affected by this cyber offensive, with additional targets observed in Europe, the United States, the United Kingdom, and Saudi Arabia. The attackers primarily targeted cloud infrastructures spanning government, municipal, technology, transportation, and energy sectors.
The password-spraying technique involves attempting a single common password across multiple accounts, making it an efficient method to exploit weak credentials without triggering security defenses. This method has been previously employed by Iranian groups such as Peach Sandstorm and Gray Sandstorm.
Technical Aspects of the Attacks
The operation follows a three-step process: initial scanning or spraying from Tor exit nodes, conducting login attempts, and extracting sensitive data like email contents. Check Point’s analysis indicates the use of tools similar to those of Gray Sandstorm, leveraging commercial VPN nodes, which align with recent Iranian activities in the Middle East.
Organizations are advised to scrutinize login logs for suspicious activities, implement conditional access controls, enforce multi-factor authentication, and maintain audit logs to facilitate investigations post-breach.
Revival of Pay2Key Operations
Concurrently, Pay2Key, an Iranian ransomware group, has resurfaced, targeting a U.S. healthcare entity in February 2026. This attack marks an evolution from their previous campaigns, employing advanced evasion and anti-forensics techniques. Despite these advancements, no data was extracted during the incident, indicating a departure from their traditional double extortion strategy.
The attackers infiltrated the system via an unknown access point, using legitimate remote access tools to gain entry, disable Microsoft Defender, and deploy ransomware. Notably, the group has increased affiliate profit shares to incentivize attacks against Iran’s perceived adversaries, reflecting a strategic shift.
In March 2026, the Sicarii ransomware administrator encouraged the use of Baqiyat 313 Locker, targeting the U.A.E., the U.S., and Israel. These cyber operations highlight Iran’s continued use of digital tactics in geopolitical conflicts, blurring the lines between criminal and state-sponsored actions.
The evolving nature of these cyber threats underscores the need for comprehensive security measures and international cooperation to mitigate risks and protect critical infrastructures.
