A coordinated cyberattack campaign linked to Iranian threat actors has targeted more than 300 Microsoft 365 organizations across Israel and the United Arab Emirates, security researchers have confirmed. The sophisticated password-spraying operation marks an escalation in cyber threats targeting critical business infrastructure in the Middle East region.
Iranian actors target 300+ Israeli organizations
The campaign unfolded across three distinct attack waves launched on March 3, March 13, and March 23, 2026. Security researchers tracking the activity determined the assault remains actively ongoing, with attackers methodically probing organizational defenses through credential-based attack vectors. Password-spraying techniques involve systematically attempting common or breached credentials across multiple accounts to gain unauthorized access without triggering traditional account lockout mechanisms.
Password-spraying attacks across three waves
Organizations in Israel faced the primary focus of the offensive, though operations extended to targets in the UAE as well. The timing of the campaign coincides with heightened geopolitical tensions in the region, suggesting potential connections to broader state-sponsored cyber operations. Infrastructure serving government, financial, and commercial sectors appeared among the targeted entities.
Microsoft 365 breach risks and persistence
Microsoft 365 environments represent attractive targets for threat actors due to their widespread deployment across enterprises and the access they provide to sensitive communications, documents, and collaborative platforms. A successful breach could potentially grant attackers persistence mechanisms, data exfiltration capabilities, and lateral movement opportunities throughout organizational networks.
Enhanced security measures for defenders
Security teams responsible for defending these environments have been advised to implement enhanced monitoring protocols, enforce multi-factor authentication across all user accounts, and conduct immediate audits of access logs for suspicious login attempts. Organizations should prioritize reviewing recent authentication activity and resetting credentials for any accounts showing signs of compromise.
The discovery underscores the persistent threat landscape facing organizations in geopolitically sensitive regions and highlights the importance of robust endpoint security strategies. Companies operating Microsoft 365 infrastructure should review their security posture and consider deploying additional detection mechanisms capable of identifying credential-based attack patterns.