A cyber campaign linked to Iran has targeted over 300 Israeli organizations using Microsoft 365, according to a cybersecurity firm. The attacks, which also affected entities in the United Arab Emirates, occurred in three waves during March 2026.

The threat actor used a technique known as password spraying to attempt access to corporate accounts. This method involves trying a few common passwords against a large number of usernames, avoiding the account lockouts triggered by rapid, repeated login attempts.

Attack Timeline and Methodology

Check Point Research reported the activity in three distinct attack waves on March 3, March 13, and March 23, 2026. The campaign is assessed to be ongoing. The primary target was Israel‘s technology and security sectors, with additional targets in the UAE’s financial and government sectors.

The attackers focused on compromising Microsoft 365 environments. After gaining initial access, they sought to establish persistence within the networks and exfiltrate sensitive data. The campaign is considered part of a broader pattern of cyber activity aligned with geopolitical tensions in the Middle East.

Technical Details and Defense

Password spraying exploits weak or commonly used passwords. Unlike targeted brute-force attacks, it is a low-and-slow approach that can evade traditional security alerts. The campaign used a list of known, weak passwords against a wide set of usernames gathered from public sources or previous breaches.

Organizations can defend against such attacks by enforcing strong password policies and implementing multi-factor authentication (MFA). Security experts consistently note that MFA is one of the most effective barriers against credential-based attacks. Monitoring for unusual login patterns, especially from unfamiliar geographic locations, is also recommended.

Attribution and Geopolitical Context

Check Point attributes the campaign with high confidence to an advanced persistent threat (APT) group with links to Iran. The targeting aligns with the group’s historical focus on Middle Eastern nations and coincides with ongoing regional conflict. The firm did not name the specific group in its public report.

Cyber operations have become a common tool in state-sponsored espionage and disruption campaigns. Attacks on critical infrastructure, government bodies, and private sector companies in allied nations are frequently observed. This incident highlights the continued use of relatively simple techniques to achieve significant access.

Based on the current pattern, cybersecurity agencies and private firms anticipate continued cyber activity targeting entities in the region. Organizations are urged to review their authentication security and incident response plans. Further technical indicators and defensive recommendations are expected to be released by cybersecurity authorities in the coming days.

Source: Check Point Research