An Iran-linked threat actor is conducting a widespread password-spraying campaign against over 325 organizations in Israel and the U.A.E. to infiltrate Microsoft 365 cloud environments and exfiltrate data.

Key Points

• Check Point identified three attack waves occurring on March 3, March 13, and March 23, 2026.
• The campaign targeted government, technology, energy, and transportation sectors across Israel, the U.A.E., and several Western nations.
• Attackers utilized Tor exit nodes and commercial VPNs to execute password-spraying, a technique often associated with Iranian groups like Gray Sandstorm.
• The Iranian ransomware group Pay2Key recently resurfaced, targeting a U.S. healthcare organization with upgraded anti-forensics and evasion capabilities.
• Pro-Iranian operators are increasingly adopting new tools like the BQTLock ransomware to conduct politically motivated sabotage against regional adversaries.

Why it Matters

These campaigns demonstrate a growing trend of state-sponsored actors blending criminal ransomware tactics with traditional espionage to disrupt critical infrastructure. Organizations must prioritize multi-factor authentication and strict geographic access controls to defend against these evolving, high-frequency credential attacks.