An Iran-Nexus threat actor is suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the UAE amid the ongoing conflict in the Middle East.
This activity, which is assessed as ongoing, was carried out in three separate attack waves, which took place on each checkpoint on March 3, March 13, and March 23, 2026.
“The campaign is primarily focused on Israel and the UAE, affecting more than 300 organizations in Israel and more than 25 organizations in the UAE,” the Israeli cybersecurity company said. “Activity associated with the same actor was also observed against a limited number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia.”
The campaign is estimated to have targeted the cloud environments of government entities, municipalities, technology, transportation, energy sector organizations and private sector companies in the region.
Password spraying is a form of brute-force attack where a threat actor attempts to use the same common password against multiple usernames on the same application. This is considered a more effective way to discover weak credentials at scale without triggering rate-limiting protection.
Check Point said this technique had been adopted in the past by Iranian hacking groups such as Peach Sandstorm and Gray Sandstorm (formerly DEV-0343) to infiltrate target networks.
The campaign essentially runs in three stages: aggressive scanning or password-spraying from Tor exit nodes, followed by taking over the login process, and exfiltrating sensitive data such as mailbox contents.
“Analysis of M365 logs suggests similarities with Gray Sandstorm, including the use of red-team tools to conduct these attacks through Tor exit nodes,” Check Point said. “The threat actor used commercial VPN nodes hosted on AS35758 (Rachamim Aviel Twito), which aligns with recent activity associated with Iran-Nexus operations in the Middle East.”
To combat the threat, organizations are advised to monitor sign-in logs for signs of password exfiltration, implement conditional access controls to limit authentication to approved geographic locations, enforce multi-factor authentication (MFA) for all users, and enable audit logs for post-compromise investigation.
Iran revives Pay2Key operations
This revelation comes after a US healthcare organization was targeted by Pay2Key, an Iranian ransomware gang linked to the country’s government, in late February 2026. The ransomware-as-a-service (RaaS) operation, belonging to the Fox Kitten group, first surfaced in 2020.
The version deployed in the attack is advanced from prior campaigns seen in July 2025, using improved evasion, execution and anti-forensics techniques to achieve its goals. According to Beazley Security and Halcyon, no data was exfiltrated during the attack, a change from the group’s dual extortion tactics.
The attack is said to have leveraged an unspecified access route to break into the organization, used legitimate remote access tools like TeamViewer to gain a foothold, then crafted credentials for lateral movement, disabled Microsoft Defender Antivirus by falsely indicating a third-party antivirus product was activated, prevented recovery, deployed ransomware, left a ransom note, and cleared logs to cover the tracks.
“By clearing the logs at the end of execution rather than the beginning, actors ensure that the ransomware’s own activity is also erased, not just whatever happened before it,” Halcyon said.
Among the major changes made by the group after its withdrawal last year was offering affiliates an 80% cut of ransom income for participating in attacks targeting Iran’s enemies, up from 70%. A month later, a Linux version of the Pay2Key ransomware was found in the wild.
“The sample is configuration-driven, requires root-level privileges to execute, and is engineered to overcome broad file system scope, mount classified attacks, and encrypt data in full or partial mode using Chacha20,” Morphysec researcher Ilya Kulmin said in a report published last month.
“Before encryption, it weakens security and removes friction by stopping services, killing processes, disabling SELinux and AppArmor, and setting a reboot-time cron entry. This makes the encryptor run faster and avoids restarts.”
In March 2026, Halcyon also revealed that the administrator of the Sicari ransomware, UK, had urged pro-Iranian operators to use the Bakiyat 313 locker (aka BQTLock) due to the influx of associated requests. BQTLock, which operates with pro-Palestinian motives, has targeted the UAE, the US and Israel since July 2025.
“Iran has a long track record of using cyber operations to retaliate against perceived political insults,” the cybersecurity company said. “Increasingly incorporating ransomware into these campaigns, ransomware campaigns blur the line between criminal extortion and state-sponsored subversion.”
