A large-scale cyber operation believed to be connected to Iran has been identified targeting Microsoft 365 environments, primarily focusing on organizations in Israel and the United Arab Emirates. The campaign comes amid rising geopolitical tensions in the Middle East and highlights the increasing use of cloud-focused cyberattacks.
According to findings released by Check Point Software Technologies, the activity is still ongoing and has unfolded in three separate waves on March 3, March 13, and March 23, 2026.
The cybersecurity firm reported that more than 300 organizations in Israel and over 25 in the UAE have been impacted. Additional limited targeting was also observed in regions including Europe, the United States, the United Kingdom, and Saudi Arabia.
Targeted Sectors and Attack Scope
The attackers primarily focused on cloud-based systems used by government bodies, municipal services, and industries such as technology, transportation, and energy. Private companies in the region were also included in the target list.
This campaign demonstrates a strategic effort to infiltrate critical infrastructure and sensitive sectors by exploiting weak authentication mechanisms.
How Password Spraying Attacks Work
The threat actor utilized a technique known as password spraying, a method where a commonly used password is tested against multiple user accounts. Unlike traditional brute-force attacks that target one account repeatedly, password spraying spreads attempts across many accounts, making it less likely to trigger security alerts.
This approach is particularly effective in identifying weak or reused credentials in large-scale environments.
Security experts have linked similar tactics in the past to Iranian threat groups such as Peach Sandstorm and Gray Sandstorm.
Multi-Stage Attack Execution
The attack process followed a structured pattern consisting of three main phases:
- Initial scanning and password-spraying attempts conducted through Tor exit nodes
- Authentication attempts using compromised credentials
- Extraction of sensitive data, including email and mailbox content
Analysis of Microsoft 365 logs revealed similarities with previously known operations, particularly those associated with Gray Sandstorm. The attackers also leveraged VPN infrastructure linked to AS35758, further aligning with patterns seen in Iran-related cyber activities.
Recommended Defensive Measures
To reduce exposure to such threats, organizations are advised to adopt the following security practices:
- Monitor login activity for unusual or repeated failed attempts
- Restrict access based on geographic location using conditional access policies
- Enforce multi-factor authentication (MFA) across all user accounts
- Enable detailed audit logging to support incident investigation
Return of Pay2Key Ransomware Operations
In a related development, an Iranian-linked ransomware group known as Pay2Key has resurfaced, targeting a U.S.-based healthcare organization in February 2026.
This ransomware operation, associated with the Fox Kitten group, originally appeared in 2020 and has now re-emerged with enhanced capabilities.
The latest variant demonstrates improvements in evasion techniques, execution methods, and anti-forensics measures. Interestingly, unlike earlier campaigns, no data exfiltration was reported in this attack, signaling a shift in operational strategy.
Attack Methodology and Execution Flow
The attackers reportedly gained access through an unknown entry point and used legitimate tools such as TeamViewer to establish persistence within the network.
Once inside, they carried out the following actions:
- Collected credentials for lateral movement
- Disabled Microsoft Defender by simulating the presence of another antivirus solution
- Blocked recovery mechanisms
- Deployed ransomware and issued ransom notes
- Cleared system logs to erase traces of activity
Notably, the log deletion occurred after the attack execution, ensuring that even the ransomware activity itself was removed from records.
Evolving Ransomware Tactics and Expansion
The group has also updated its affiliate model, increasing the profit share from 70 percent to 80 percent to attract more participants targeting adversaries of Iran.
Additionally, a Linux-based variant of Pay2Key has been discovered. This version requires root-level access and is designed to scan file systems extensively before encrypting data using the ChaCha20 encryption algorithm.
Before encryption begins, the malware disables security tools, terminates processes, and alters system defenses such as SELinux and AppArmor to ensure successful execution.
Growing Role of Cyber Warfare
Recent reports also indicate that ransomware groups like Sicarii are encouraging pro-Iranian hackers to adopt tools such as Baqiyat 313 Locker, further expanding the cyber threat landscape.
These developments reinforce the growing overlap between financially motivated cybercrime and state-sponsored cyber operations. Cyberattacks are increasingly being used not just for financial gain but also as instruments of political retaliation and strategic disruption.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
