An Iran-nexus risk actor is suspected to be behind a password-spraying marketing campaign concentrating on Microsoft 365 environments in Israel and the U.A.E. amid ongoing battle within the Center East.
The exercise, assessed to be ongoing, was carried out in three distinct assault waves that came about on March 3, March 13, and March 23, 2026, per Verify Level.
“The campaign is primarily focused on Israel and the U.A.E., impacting more than 300 organizations in Israel and over 25 in the U.A.E.,” the Israeli cybersecurity firm stated. “Activity associated with the same actor was also observed against a limited number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia.”
The marketing campaign is assessed to have focused the cloud environments of presidency entities, municipalities, expertise, transportation, vitality sector organizations, and private-sector firms within the area.
Password spraying is a type of brute-force assault the place a risk actor makes an attempt to make use of a single frequent password towards a number of usernames on the identical utility. It is also thought-about a more practical approach to uncover weak credentials at scale with out triggering rate-limiting defenses.
Verify Level stated the method is thought to be adopted by Iranian hacking teams like Peach Sandstorm and Grey Sandstorm (previously DEV-0343) previously to infiltrate goal networks.
The marketing campaign primarily unfolds over three phases: aggressive scanning or password-spraying carried out from Tor exit nodes, adopted by conducting the login course of, and exfiltrating delicate information, resembling mailbox content material.
“Analysis of M365 logs suggests similarities to Gray Sandstorm, including the use of red-team tools to conduct these attacks via Tor exit nodes,” Verify Level stated. “The threat actor used commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito), which aligns with recent activity tied to Iran-nexus operations in the Middle East.”
To counter the risk, organizations are suggested to watch sign-in logs for indicators of password spraying, apply conditional entry controls to restrict authentication to authorized geographic areas, implement multi-factor authentication (MFA) for all customers, and allow audit logs for post-compromise investigation.
Iran Revives Pay2Key Operations
The disclosure comes as a U.S. healthcare group was focused in late February 2026 by Pay2Key, an Iranian ransomware gang with ties to the nation’s authorities. The ransomware-as-a-service (RaaS) operation, which has ties to the Fox Kitten group, first emerged in 2020.
The variant deployed within the assault is an improve from prior campaigns noticed in July 2025, utilizing improved evasion, execution, and anti-forensics methods to realize its targets. Based on Beazley Safety and Halcyon, no information was exfiltrated in the course of the assault, a shift from the group’s double extortion playbook.
The assault is claimed to have leveraged an undetermined entry path to breach the group, utilizing a respectable distant entry device like TeamViewer to ascertain a foothold, then harvest credentials for lateral motion, disarm Microsoft Defender Antivirus by falsely signaling {that a} third-party antivirus product is lively, inhibit restoration, deploy ransomware, drop a ransom be aware, and clear logs to cowl up the tracks.
“By clearing logs at the end of execution rather than the beginning, the actors ensure that even the ransomware’s own activity is wiped, not just whatever preceded it,” Halcyon stated.
Amongst the important thing modifications the group enacted following its return final 12 months was providing associates an 80% reduce of ransom proceeds, up from 70%, for collaborating in assaults concentrating on Iran’s enemies. A month later, a Linux variant of the Pay2Key ransomware was detected within the wild.
“The sample is configuration-driven, requires root-level privileges to execute, and is engineered to traverse broad file system scope, classify mounts, and encrypt data using ChaCha20 in full or partial modes,” Morphisec researcher Ilia Kulmin stated in a report revealed final month.
“Before encryption, it weakens defenses and removes friction by stopping services, killing processes, disabling SELinux and AppArmor, and installing a reboot-time cron entry. This lets the encryptor run faster and survive restarts.”
In March 2026, Halcyon additionally revealed that the administrator of Sicarii ransomware, Uke, urged pro-Iranian operators to make use of Baqiyat 313 Locker (aka BQTlock) as a result of inflow of affiliate requests. BQTLock, which operates with pro-Palestinian motives, has focused the U.A.E., the U.S., and Israel since July 2025.
“Iran has a long track record of using cyber operations to retaliate against perceived political slights,” the cybersecurity firm stated. “Ransomware is increasingly incorporated into these operations, with ransomware campaigns that blur the line between criminal extortion and state-sponsored sabotage.”
