Iran Password Spray Campaign: 300+ Organizations Targeted via Microsoft 365

A Three-Wave Campaign Hiding in Plain Sight

In late March 2026, threat intelligence researchers published findings on one of the most methodical cloud credential campaigns observed this year. An Iran-nexus threat actor executed three distinct attack waves — on March 3, March 13, and March 23 — targeting Microsoft 365 environments across the Middle East, Europe, and the United States.

The campaign’s scale was significant: over 300 organizations were targeted in the primary region alone, with additional activity observed against a limited number of targets in Europe, the United Kingdom, the United States, and Saudi Arabia. The sectors hit include government entities, municipalities, technology companies, transportation operators, energy sector organizations, and private-sector firms.

What makes this campaign notable is not just its scope but its operational sophistication. The attackers followed a disciplined three-phase cycle — scan, infiltrate, exfiltrate — that maximized credential harvest while minimizing detection.

Anatomy of the Attack: Three Phases

Phase 1: Scan via Tor

The attackers conducted intensive password-spraying scans against hundreds of organizations simultaneously. Rather than hammering a single account with multiple passwords (which triggers lockout protections), password spraying tries a small number of common passwords against a large number of accounts — staying below the threshold that would trigger security alerts.

To avoid IP-based blocking, the attackers routed all scan traffic through Tor exit nodes, changing nodes frequently to prevent pattern-based detection. The scan traffic used a User-Agent string masquerading as Internet Explorer 10 — a browser that has been out of active support for years, making it an anomalous but often-overlooked signal in enterprise logs.

Phase 2: Infiltrate via Commercial VPNs

Once valid credentials were identified, the attackers shifted tactics entirely. Instead of continuing to operate through Tor, they conducted the full login process from commercial VPN services — specifically Windscribe (IP range 185.191.204.X) and NordVPN (IP range 169.150.227.X) — with endpoints geolocated to match the target organizations’ expected geographic regions.

This geographic spoofing is designed to bypass conditional access policies that many organizations use to restrict logins to approved locations. An attacker logging in from a VPN server geolocated to the same country as the target organization would not trigger geographic anomaly alerts.

Phase 3: Exfiltrate

With valid sessions established, the attackers accessed sensitive data including personal email content. The researchers’ analysis suggests the exfiltration phase was targeted rather than indiscriminate — the attackers appear to have prioritized specific accounts and data types rather than bulk-downloading everything available.

Attribution and Threat Actor Profile

The researchers’ analysis links the campaign to an Iran-nexus threat actor with similarities to Gray Sandstorm, a Microsoft-tracked threat group. Key indicators include:

• Use of red-team tools to conduct password spraying via Tor exit nodes, consistent with known Gray Sandstorm tradecraft.
• Commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), an autonomous system that has been previously associated with Iran-nexus operations in the Middle East.
• Operational cadence — the 10-day interval between attack waves suggests a structured campaign with planning and analysis phases between each wave.

The campaign is assessed to be ongoing as of early April 2026.

Why Password Spraying Still Works

Password spraying remains effective despite being one of the oldest credential attack techniques because it exploits a fundamental tension in enterprise security: organizations need their employees to be able to log in.

Modern organizations typically set account lockout thresholds at 5-10 failed attempts within a short window. Password spraying stays below this threshold by trying only one or two passwords per account per wave. Against a target set of 300+ organizations with thousands of accounts each, even a success rate below 1% yields hundreds of valid credentials.

The shift to cloud-based identity — particularly Microsoft 365, which consolidates email, file storage, collaboration, and business applications behind a single credential — means that a successful password spray attack grants access to far more than email. A compromised M365 account can access SharePoint documents, Teams conversations, OneDrive files, and potentially administrative interfaces.

Multi-factor authentication (MFA) is the primary defense against credential-based attacks, but adoption remains uneven. According to Microsoft’s own reporting, a significant percentage of enterprise M365 tenants still have accounts without MFA enabled, particularly service accounts, shared mailboxes, and legacy applications that do not support modern authentication protocols.

Defensive Measures

Security researchers and Microsoft recommend several countermeasures:

Monitor sign-in logs for password spray indicators. Look for clusters of failed authentication attempts across multiple accounts from the same IP ranges, particularly Tor exit nodes. The IE10 User-Agent string is an additional signal worth monitoring.

Apply conditional access controls rigorously. Restrict authentication to approved geographic locations and require device compliance checks. Critically, ensure that VPN-based logins are subject to additional verification rather than being treated as equivalent to on-premises authentication.

Enforce MFA universally. This means every account — including service accounts, shared mailboxes, and break-glass emergency accounts. Conditional access policies should require MFA for all sign-ins from unrecognized devices or locations.

Enable comprehensive audit logging. Post-compromise investigation requires detailed logs of authentication events, mailbox access, file downloads, and administrative actions. Many organizations have logging disabled or set to minimal retention, limiting their ability to assess damage after a breach.

Block legacy authentication protocols. Older protocols like POP, IMAP, and SMTP AUTH do not support MFA and are frequently targeted by credential attacks. Disabling these protocols across the tenant eliminates a common attack surface.

The Bigger Picture: Cloud Identity Under Siege

This campaign is part of a broader pattern. State-sponsored actors are increasingly targeting cloud identity infrastructure — particularly Microsoft 365 and Azure AD (now Entra ID) — because it represents the single largest concentration of enterprise credentials and data in the world.

The Iran-nexus campaign demonstrates that sophisticated actors do not need novel exploits or advanced malware to compromise enterprise environments. They need patience, automation, and a target set where a small percentage of accounts inevitably have weak passwords and no MFA. The tools they use — Tor, commercial VPNs, and password spraying scripts — are widely available and inexpensive.

For security teams, the lesson is clear: cloud identity is critical infrastructure, and defending it requires the same rigor applied to network perimeters and endpoint security. Password spraying may be an old technique, but in the cloud era, it remains devastatingly effective.

Sources & Further Reading

• Iran-Linked Password-Spraying Campaign Targets 300+ Microsoft 365 Organizations — The Hacker News
• Iran targets M365 accounts with password-spraying attacks — The Register
• Iran-Linked Hackers Launch Password Spray Campaign Against Microsoft 365 Tenants — Cybersecurity News
• Iranian Password Spraying Campaign Targets Microsoft 365: Detailed Technical Analysis — Security Affairs