Iran‑Linked Password‑Spraying Campaign Hits 300+ Israeli Microsoft 365 Environments

In the past week, cybersecurity researchers disclosed a large‑scale password‑spraying operation that is linked to an Iranian state‑backed group, often referred to as APT‑IRAN. The campaign has targeted more than 300 Microsoft 365 tenant environments in Israel, primarily attempting to harvest credentials for high‑value accounts and to gain persistent access to cloud collaboration workloads such as Exchange Online, SharePoint, and Teams. Early indicators suggest that the attackers are leveraging a mix of publicly scraped email lists and a rotating set of weak passwords to avoid immediate detection.

What Is Password‑Spraying?

Password‑spraying is a credential‑reconnaissance technique in which a single, commonly used password is tested against a large number of user accounts across many organizations. Unlike brute‑force attacks that hammer a single account with many guesses, password‑spraying spreads the effort to avoid triggering account‑lockout mechanisms. The goal is to find accounts that still use predictable or reused passwords while staying under the radar of security alerts.

Technical Breakdown of the Iranian Campaign

The attackers combine three core capabilities to stay effective:

• Reconnaissance Data: They harvest email addresses from publicly available sources, including social media, data‑breach dumps, and corporate webpages.
• Password Rotation: A short list of easily guessed passwords — such as Spring2023, Winter2023, Password123, and admin2023 — is cycled through each target account in rapid succession.
• Infrastructure Obfuscation: Compromised VPN endpoints and residential proxy services are used to hide the origin of login attempts, making it difficult for defenders to attribute traffic to a single IP range.

From a technical standpoint, the campaign relies heavily on legacy authentication protocols that remain enabled in many tenant configurations. By targeting Basic Auth, SMTP AUTH, and other deprecated mechanisms, the actors can bypass modern conditional access controls that are designed to block suspicious sign‑ins. Successful logins generate authentication tokens that are then stored in encrypted exfiltration containers and later parsed by custom PowerShell scripts for further lateral movement.

Why This Attack Matters to Modern Organizations

Although password‑spraying appears low‑tech, its success depends on three critical weaknesses that are prevalent across many enterprises:

1. Over‑reliance on legacy authentication: Many organizations have not disabled Basic Auth or other outdated sign‑in methods, leaving a large attack surface.
2. Insufficient conditional access policies: Without risk‑based sign‑in enforcement, attackers can blend their attempts with legitimate traffic.
3. Limited monitoring of anomalous sign‑ins: Without real‑time alerts, a compromised account can remain undetected for days, allowing data theft and privilege escalation.

For organizations that depend on Microsoft 365 for day‑to‑day operations, even a single compromised credential can lead to widespread data exposure, loss of customer trust, and costly incident response efforts.

Mitigation Strategies for IT Administrators

Implementing the following steps can dramatically reduce the attack surface and give security teams the visibility they need to stop password‑spraying attempts in their tracks:

1. Disable Legacy Authentication: Use the Microsoft 365 admin center or PowerShell cmdlets to turn off Basic Auth, SMTP AUTH, and other deprecated protocols across all tenants.
2. Enforce Multi‑Factor Authentication (MFA): Require MFA for every user, with special emphasis on privileged and service accounts. Consider Conditional Access policies that mandate MFA for sign‑ins from unfamiliar locations or devices.
3. Deploy Conditional Access Policies: Block sign‑ins from high‑risk countries or from IP ranges known to host malicious activity, and require device compliance for remote access.
4. Enable Identity Protection Risk Sign‑In Alerts: Turn on Azure AD Identity Protection to flag sign‑ins that exhibit suspicious attributes such as impossible travel or repeated failures.
5. Integrate SIEM‑Based Detection Rules: Configure alerts for patterns like “multiple failed logins across many accounts within a short window” and route them to a central monitoring console.
6. Restrict Service Account Permissions: Apply the principle of least privilege to all service and application accounts, and regularly review access reviews.

Each of these actions should be paired with automated remediation scripts that can instantly suspend a compromised account and revoke any generated tokens, minimizing dwell time.

Best Practices for Ongoing Protection

Beyond the immediate checklist, organizations should embed a defense‑in‑depth strategy that includes continuous improvement and proactive security hygiene:

• Password Hygiene: Enforce minimum length (12+ characters), complexity requirements, and periodic rotation for service accounts.
• Periodic Access Reviews: Conduct quarterly audits of privileged account permissions and automatically remove dormant accounts.
• Employee Awareness Training: Use simulated phishing campaigns to reinforce the importance of reporting suspicious login prompts.
• Automated Incident Response Playbooks: Define clear steps for isolating compromised accounts, revoking tokens, and notifying stakeholders.
• Regular Security Posture Assessments: Leverage third‑party assessments or internal red‑team exercises to validate the effectiveness of conditional access and MFA deployments.

These practices create a resilient security culture that not only thwarts password‑spraying attacks but also prepares the organization for a broad spectrum of credential‑based threats.

Investing in professional IT management and advanced security controls transforms a reactive posture into a proactive one, delivering tangible benefits such as reduced breach risk, lower remediation costs, and heightened confidence among stakeholders. By staying vigilant and continuously refining defenses, businesses can keep pace with the evolving threat landscape and safeguard their critical cloud workloads for the long term.