Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations

Password‑spraying—where attackers try a handful of common passwords across many accounts—has resurfaced as a favorite tool for nation‑state actors targeting cloud platforms. Microsoft 365’s rapid adoption in Israel’s tech and financial sectors made it an attractive vector, offering a single point of entry to thousands of users. While the service provides built‑in protections, the sheer scale of the campaign exposed gaps in password hygiene and highlighted the importance of continuous credential monitoring.

The group behind the operation is believed to be an Iranian APT linked to previous espionage campaigns against regional adversaries. Their methodology combined automated login attempts with carefully curated wordlists derived from leaked Israeli data breaches, increasing the odds of success. Organizations that had already deployed multi‑factor authentication (MFA) saw dramatically lower compromise rates, confirming MFA’s role as a critical barrier. Nonetheless, the sheer volume of attempts—over 1 million login tries in a week—overwhelmed some alerting systems, emphasizing the need for advanced anomaly detection.

For enterprises, the incident serves as a wake‑up call to adopt a zero‑trust mindset: enforce MFA universally, rotate passwords regularly, and implement conditional access policies that limit logins from high‑risk geographies. Cloud security providers are now enhancing real‑time threat intelligence feeds to flag password‑spraying patterns earlier. As geopolitical tensions drive more state‑sponsored cyber campaigns, businesses must treat identity security as a frontline defense, integrating behavioral analytics and automated response playbooks to stay ahead of evolving threats.