Iran-linked actors target Israeli Microsoft 365 accounts in password-spraying campaign
AI-generated from multiple sources. Verify before acting on this reporting.
JERUSALEM — Iran-linked cyber actors launched a password-spraying campaign in March 2026 targeting more than 300 Israeli organizations using Microsoft 365, marking a significant escalation in regional digital threats.
The operation, which concluded earlier this month, involved systematic attempts to gain unauthorized access to corporate email and cloud-based systems by testing common password combinations across a wide array of accounts. Security experts identified the attack vector as a password-spraying technique, designed to evade detection mechanisms that typically flag repeated failed login attempts from a single source.
The campaign specifically focused on Israeli entities, leveraging the ongoing geopolitical tensions between Tehran and Jerusalem. While no confirmed data breaches were immediately reported, the sheer scale of the attempt indicates a coordinated effort to compromise sensitive communications and potentially deploy ransomware payloads.
Analysts noted that the timing of the attack aligns with a broader trend of state-sponsored groups reviving ransomware campaigns as a tool of asymmetric warfare. The use of Microsoft 365 infrastructure highlights the vulnerability of cloud-based enterprise environments to credential-based attacks. Unlike brute-force methods that target individual accounts with high frequency, password spraying casts a wider net, attempting fewer guesses per account to avoid triggering security locks.
Israeli cybersecurity officials have advised organizations to enforce multi-factor authentication and review access logs for suspicious activity. The Microsoft 365 platform, widely adopted across Israeli government and private sectors, remains a primary target for foreign adversaries seeking to disrupt critical infrastructure or steal intellectual property.
The attack comes amid rising cyber tensions in the Middle East, where digital operations have increasingly complemented traditional military posturing. Previous incidents involving similar tactics have resulted in temporary service outages and data exfiltration, raising concerns about the resilience of national digital defenses.
Questions remain regarding the full extent of the campaign's success. While no major organizations have publicly confirmed compromised credentials, the potential for dormant access or delayed discovery persists. Security firms are monitoring for signs of lateral movement within targeted networks, which could indicate successful initial access.
The incident underscores the evolving nature of cyber warfare, where state actors utilize commercially available tools and cloud vulnerabilities to achieve strategic objectives. As regional conflicts intensify, the digital domain has emerged as a critical battleground, with both offensive and defensive capabilities rapidly advancing.
Further investigation is ongoing to determine if the campaign was part of a larger operation or an isolated incident. The international community continues to assess the implications for global cybersecurity standards and the need for enhanced cooperation in countering state-sponsored threats.