Iran Password Spray: 300+ Orgs Targeted via M365

Published April 9, 2026 · by ALGERIATECH Editorial

⚡ Key Takeaways

Threat intelligence researchers uncovered a three-wave Iran-nexus password spraying campaign that hit 300+ organizations across government, energy, and tech sectors during March 2026. Attackers used Tor exit nodes for scanning and commercial VPNs geolocated to target countries to bypass conditional access controls on Microsoft 365 tenants.

Bottom Line: Run an MFA coverage audit on every Microsoft 365 account this week — service accounts and shared mailboxes without MFA are the most likely entry points.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
High
▾

Algeria’s government ministries, energy companies (Sonatrach, Sonelgaz), and enterprises are rapidly adopting Microsoft 365. The same password spraying techniques used against Middle Eastern targets apply directly to Algerian M365 tenants.

Infrastructure Ready?
Partial
▾

Many Algerian organizations use Microsoft 365 but lack comprehensive conditional access policies, universal MFA enforcement, and centralized SIEM monitoring needed to detect and block password spray campaigns.

Skills Available?
Partial
▾

Algeria has growing cybersecurity talent but limited specialized cloud identity security expertise. Few Algerian SOC teams have experience investigating M365-specific attack patterns like Tor-based spraying with VPN-geolocated follow-up.

Action Timeline
Immediate
▾

This campaign is assessed as ongoing. Algerian organizations using Microsoft 365 should audit MFA coverage, review conditional access policies, and enable sign-in log monitoring within the next 30 days.

Key Stakeholders
SOC analysts, Microsoft 365 administrators, CISOs at government agencies and energy companies, IT security managers at banks and telecoms.

Decision Type
Tactical
▾

Direct, actionable defensive measures can be implemented immediately without strategic planning or budget approval.

Quick Take: Algerian organizations on Microsoft 365 face the same attack surface exploited in this campaign. The immediate priority is auditing every M365 tenant for accounts without MFA — especially service accounts and shared mailboxes — and implementing conditional access policies that flag VPN-based logins from unexpected providers like Windscribe and NordVPN.

A Three-Wave Campaign Hiding in Plain Sight

In late March 2026, threat intelligence researchers published findings on one of the most methodical cloud credential campaigns observed this year. An Iran-nexus threat actor executed three distinct attack waves — on March 3, March 13, and March 23 — targeting Microsoft 365 environments across the Middle East, Europe, and the United States.

The campaign’s scale was significant: over 300 organizations were targeted in the primary region alone, with additional activity observed against a limited number of targets in Europe, the United Kingdom, the United States, and Saudi Arabia. The sectors hit include government entities, municipalities, technology companies, transportation operators, energy sector organizations, and private-sector firms.

What makes this campaign notable is not just its scope but its operational sophistication. The attackers followed a disciplined three-phase cycle — scan, infiltrate, exfiltrate — that maximized credential harvest while minimizing detection.

Anatomy of the Attack: Three Phases

Phase 1: Scan via Tor

The attackers conducted intensive password-spraying scans against hundreds of organizations simultaneously. Rather than hammering a single account with multiple passwords (which triggers lockout protections), password spraying tries a small number of common passwords against a large number of accounts — staying below the threshold that would trigger security alerts.

To avoid IP-based blocking, the attackers routed all scan traffic through Tor exit nodes, changing nodes frequently to prevent pattern-based detection. The scan traffic used a User-Agent string masquerading as Internet Explorer 10 — a browser that has been out of active support for years, making it an anomalous but often-overlooked signal in enterprise logs.

Phase 2: Infiltrate via Commercial VPNs

Once valid credentials were identified, the attackers shifted tactics entirely. Instead of continuing to operate through Tor, they conducted the full login process from commercial VPN services — specifically Windscribe (IP range 185.191.204.X) and NordVPN (IP range 169.150.227.X) — with endpoints geolocated to match the target organizations’ expected geographic regions.

This geographic spoofing is designed to bypass conditional access policies that many organizations use to restrict logins to approved locations. An attacker logging in from a VPN server geolocated to the same country as the target organization would not trigger geographic anomaly alerts.

Phase 3: Exfiltrate

With valid sessions established, the attackers accessed sensitive data including personal email content. The researchers’ analysis suggests the exfiltration phase was targeted rather than indiscriminate — the attackers appear to have prioritized specific accounts and data types rather than bulk-downloading everything available.

Attribution and Threat Actor Profile

The researchers’ analysis links the campaign to an Iran-nexus threat actor with similarities to Gray Sandstorm, a Microsoft-tracked threat group. Key indicators include:

Use of red-team tools to conduct password spraying via Tor exit nodes, consistent with known Gray Sandstorm tradecraft.
Commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), an autonomous system that has been previously associated with Iran-nexus operations in the Middle East.
Operational cadence — the 10-day interval between attack waves suggests a structured campaign with planning and analysis phases between each wave.

The campaign is assessed to be ongoing as of early April 2026.

Why Password Spraying Still Works

Password spraying remains effective despite being one of the oldest credential attack techniques because it exploits a fundamental tension in enterprise security: organizations need their employees to be able to log in.

Modern organizations typically set account lockout thresholds at 5-10 failed attempts within a short window. Password spraying stays below this threshold by trying only one or two passwords per account per wave. Against a target set of 300+ organizations with thousands of accounts each, even a success rate below 1% yields hundreds of valid credentials.

The shift to cloud-based identity — particularly Microsoft 365, which consolidates email, file storage, collaboration, and business applications behind a single credential — means that a successful password spray attack grants access to far more than email. A compromised M365 account can access SharePoint documents, Teams conversations, OneDrive files, and potentially administrative interfaces.

Multi-factor authentication (MFA) is the primary defense against credential-based attacks, but adoption remains uneven. According to Microsoft’s own reporting, a significant percentage of enterprise M365 tenants still have accounts without MFA enabled, particularly service accounts, shared mailboxes, and legacy applications that do not support modern authentication protocols.

Defensive Measures

Security researchers and Microsoft recommend several countermeasures:

Monitor sign-in logs for password spray indicators. Look for clusters of failed authentication attempts across multiple accounts from the same IP ranges, particularly Tor exit nodes. The IE10 User-Agent string is an additional signal worth monitoring.

Apply conditional access controls rigorously. Restrict authentication to approved geographic locations and require device compliance checks. Critically, ensure that VPN-based logins are subject to additional verification rather than being treated as equivalent to on-premises authentication.

Enforce MFA universally. This means every account — including service accounts, shared mailboxes, and break-glass emergency accounts. Conditional access policies should require MFA for all sign-ins from unrecognized devices or locations.

Enable comprehensive audit logging. Post-compromise investigation requires detailed logs of authentication events, mailbox access, file downloads, and administrative actions. Many organizations have logging disabled or set to minimal retention, limiting their ability to assess damage after a breach.

Block legacy authentication protocols. Older protocols like POP, IMAP, and SMTP AUTH do not support MFA and are frequently targeted by credential attacks. Disabling these protocols across the tenant eliminates a common attack surface.

The Bigger Picture: Cloud Identity Under Siege

This campaign is part of a broader pattern. State-sponsored actors are increasingly targeting cloud identity infrastructure — particularly Microsoft 365 and Azure AD (now Entra ID) — because it represents the single largest concentration of enterprise credentials and data in the world.

The Iran-nexus campaign demonstrates that sophisticated actors do not need novel exploits or advanced malware to compromise enterprise environments. They need patience, automation, and a target set where a small percentage of accounts inevitably have weak passwords and no MFA. The tools they use — Tor, commercial VPNs, and password spraying scripts — are widely available and inexpensive.

For security teams, the lesson is clear: cloud identity is critical infrastructure, and defending it requires the same rigor applied to network perimeters and endpoint security. Password spraying may be an old technique, but in the cloud era, it remains devastatingly effective.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn

Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Frequently Asked Questions

Why is password spraying still effective against modern organizations in 2026?

Password spraying stays below lockout thresholds by trying only one or two common passwords per account across thousands of accounts simultaneously. Even with a sub-1% success rate, spraying 300+ organizations yields hundreds of valid credentials. The technique exploits the gap between security policy and enforcement — many organizations still have accounts with weak passwords and no MFA.

How did the attackers bypass geographic conditional access controls?

After identifying valid credentials via Tor-routed scanning, the attackers switched to commercial VPN services (Windscribe and NordVPN) with exit points geolocated to match target organizations’ countries. This made logins appear to originate from expected locations, bypassing geographic anomaly detection that many organizations rely on as a primary defense.

What is the single most effective defense against this type of campaign?

Universal multi-factor authentication (MFA) across every account — including service accounts, shared mailboxes, and break-glass emergency accounts. MFA renders stolen passwords useless because attackers cannot complete the second authentication factor. Organizations should also disable legacy protocols (POP, IMAP, SMTP AUTH) that do not support MFA.