An Iran-focused threat actor is believed to be responsible for a password-spraying campaign targeting Microsoft 365 environments in Israel and the United Arab Emirates amidst ongoing tensions in the Middle East.
The cyber activity, which is still ongoing, occurred in three separate waves on March 3, March 13, and March 23, 2026, according to cybersecurity firm Check Point.
Check Point stated, “The campaign has primarily impacted more than 300 organizations in Israel and over 25 in the UAE. Additionally, the same threat actor has been observed targeting a small number of entities in Europe, the United States, the United Kingdom, and Saudi Arabia.”
The campaign has been directed towards the cloud infrastructures of government bodies, municipalities, technology firms, transportation companies, energy sector entities, and private corporations in the region.
Password spraying, a tactic where hackers use a single common password against multiple usernames in an attempt to gain unauthorized access, has been utilized in this campaign. It is considered an effective method to identify weak credentials on a large scale without triggering security defenses.
Check Point noted that Iranian hacker groups such as Peach Sandstorm and Gray Sandstorm (previously known as DEV-0343) have previously employed this technique to breach networks.
The operation unfolds in three phases: initial scanning or password-spraying from Tor exit nodes, followed by login attempts, and ultimately exfiltrating sensitive information like email content.
Check Point added, “Analysis of Microsoft 365 logs indicates similarities to Gray Sandstorm, including the use of red-team tools through Tor exit nodes. The threat actor utilized commercial VPN nodes from AS35758 (Rachamim Aviel Twito), aligning with recent Iran-related activities in the Middle East.”
To combat this threat, organizations are advised to monitor sign-in logs for signs of password spraying, implement conditional access controls to restrict authentication to approved geographic locations, enforce multi-factor authentication for all users, and activate audit logs for post-incident analysis.
Iranian Hackers Resurrect Pay2Key Operations
This revelation comes in the wake of a U.S. healthcare entity falling victim to a cyber attack by Pay2Key, an Iranian ransomware group linked to the country’s government. The ransomware-as-a-service (RaaS) operation, associated with the Fox Kitten group, first emerged in 2020.
The latest variant used in the attack represents an advancement from previous campaigns seen in July 2025, incorporating enhanced evasion techniques to bypass security measures. According to security experts, no data was stolen during the breach, a departure from the group’s usual strategy of double extortion.
The attack reportedly exploited an unknown entry point to infiltrate the organization, utilizing legitimate remote access tools like TeamViewer to establish a foothold, gather credentials for lateral movement, disable Microsoft Defender Antivirus, execute ransomware, leave a ransom note, and erase logs to cover their tracks.
Halcyon explained, “By erasing logs at the end of the attack, the threat actors ensure that even their own activities are wiped clean, not just the preceding actions.”
Following their return in 2025, the group introduced several changes, including offering affiliates a higher percentage of ransom payments for participating in attacks against Iran’s adversaries. Subsequently, a Linux version of the Pay2Key ransomware was identified in the wild a month later.
Morphisec researcher Ilia Kulmin remarked, “The sample is configuration-based, requiring elevated privileges to operate, designed to traverse wide file systems, identify mounts, and encrypt data using ChaCha20 in various modes.”
Before initiating encryption, the ransomware weakens defenses, halts services, terminates processes, disables security modules like SELinux and AppArmor, and schedules a reboot-time task, ensuring persistent encryption even after system restarts.
In March 2026, Halcyon disclosed that the administrator of Sicarii ransomware, Uke, encouraged pro-Iranian operatives to utilize Baqiyat 313 Locker (also known as BQTlock) due to an uptick in affiliate requests. BQTLock, operating with pro-Palestine motives, has been targeting the UAE, the U.S., and Israel since July 2025.
The cybersecurity firm highlighted, “Iran has a history of using cyber attacks for retaliatory purposes. Ransomware is increasingly being integrated into these operations, blurring the line between criminal extortion and state-sponsored sabotage.”
