-
Suspected Iran-linked threat actors launched coordinated password-spraying attacks against more than 300 organizations across Israel and the UAE, hitting municipalities hardest.
-
Researchers believe the campaign may have supported bomb-damage assessment efforts following Iranian missile strikes on targeted cities.
-
The same attacker group also breached FBI Director Kash Patel’s personal email account, warning that “this is just our beginning.”
A wave of cyberattacks is sweeping across the Middle East, and researchers say the timing is no coincidence. Suspected Iran-linked hackers have been hammering hundreds of organizations with password-spraying attacks aimed squarely at Microsoft 365 accounts.
Tel Aviv-based Check Point Research revealed on Tuesday that the campaign struck more than 300 organizations in Israel and over 25 in the UAE, with similar activity hitting a limited number of targets in the US, Europe, and Saudi Arabia.
The attacks rolled out in three waves, March 3, March 13, and March 23, pointing to a deliberate, structured operation rather than opportunistic hacking.
Iran-linked groups, including the Gray Sandstorm and Islamic Revolutionary Guard Corps’ Peach Sandstorm, stand out for using this exact method to break into Microsoft 365 environments and harvest sensitive data.
Hackers Hit Municipalities Hardest and Researchers Think They Know Why
Israel’s municipal sector absorbed the heaviest blow from the attacks, but the targeting spread across multiple industries. Technology companies faced 63 intrusion attempts. Transportation and logistics absorbed 32. Healthcare and manufacturing each recorded 28 attempts.
The focus on municipalities caught researchers’ attention. Local governments play a central role in coordinating responses to physical damage from missile strikes, assessing destruction, organizing relief, and reporting conditions on the ground.
Check Point noted a striking overlap between the organizations targeted in the password-spraying campaign and the cities that Iranian missiles had previously struck.
“This hints at the campaign’s intention to support kinetic operations and Bombing Damage Assessment (BDA) endeavours,” the researchers wrote.
In plain terms: the hackers may have been trying to peek inside local government systems to see exactly how much damage the missiles caused, and plan their next moves accordingly.
How the Attackers Broke in and Covered Their Tracks
The mechanics of the attack reveal a carefully planned operation. The first step involved blasting hundreds of organizations’ Microsoft accounts with commonly used weak passwords, a technique known as password spraying.
The attackers constantly rotated their source IP addresses using Tor exit nodes, making it difficult to trace or block them. They also disguised their traffic with a User-Agent string mimicking Internet Explorer 10, an outdated browser, to fly under the radar of modern security monitoring tools.
Once the attackers found credentials that worked, they shifted tactics to avoid geographic access restrictions. They logged in from multiple VPN addresses geolocated in Israel, using IP ranges linked to Windscribe and NordVPN, to make their access appear local and legitimate. From there, they moved through personal email communications and sensitive data without triggering immediate red flags.
“According to M365 logs analysis, lookalikes of Gray Sandstorm use the application of red-team systems to carry out these hits through exit nodes on Tor,” the researchers wrote. They also flagged that the attacker relied on commercial VPN infrastructure tied to AS35758, a network that has surfaced repeatedly in suspected Iran-linked cyber operations across the Middle East.
These sophisticated techniques are also being used against European targets, a recent DDoS attack on UK airports used similar methods to overwhelm systems and cause widespread disruption, highlighting the global reach of these tactics.
Iran-Linked Group Breaches FBI Director’s Personal Email
The password-spraying campaign is not the only headline-grabbing move from Iran-linked actors this week. Handala Hack, a group with confirmed ties to Iran’s intelligence agency and the crew behind the destructive Stryker cyberattack, announced it had broken into FBI Director Kash Patel’s personal email account. The group posted Patel’s resume and personal photos on its website on Friday, attaching a blunt message: “This is just our beginning.”
The FBI and its partners had briefly knocked Handala Hack’s websites offline just one week earlier. The group rebuilt and launched new domains within days, a show of resilience that underscores how difficult it is to permanently disrupt these operations.
Together, these incidents paint a picture of Iran-linked cyber actors growing bolder, faster, and more strategic. They are no longer just probing systems, they are tying digital intrusions directly to military objectives on the ground.
