Iran‑Linked Password‑Spraying Campaign Hits 300+ Israeli & UAE Microsoft 365 Tenants
What Happened — An Iran‑affiliated threat group launched a multi‑wave password‑spraying operation against Microsoft 365 environments in Israel and the United Arab Emirates. The campaign unfolded on Mar 3, Mar 13 and Mar 23 2026, compromising credentials for more than 300 organizations.
Why It Matters for TPRM —
- Credential reuse across SaaS services can give attackers footholds in third‑party environments.
- Compromised Microsoft 365 accounts may be leveraged to exfiltrate sensitive corporate data or to launch further phishing attacks against partners.
- Ongoing activity indicates the threat actor is actively probing for weak passwords, raising the risk profile of any vendor that relies on Microsoft 365 for collaboration.
Who Is Affected — Technology‑SaaS providers, professional services firms, financial services, and any organization that uses Microsoft 365 as a primary productivity platform in the affected regions.
Recommended Actions —
- Verify that all Microsoft 365 accounts enforce strong, unique passwords and enable multi‑factor authentication (MFA).
- Review access logs for anomalous sign‑in activity from the listed regions and enforce conditional access policies.
- Conduct a rapid credential‑health assessment for any third‑party vendors that host data in Microsoft 365.
Technical Notes — The attackers employed password‑spraying (high‑volume, low‑frequency login attempts) against Azure AD accounts, exploiting weak password policies rather than a software vulnerability. No specific CVE is associated. Data at risk includes email, Teams chats, SharePoint files, and any other Office 365‑hosted content. Source: The Hacker News