A newly uncovered cyber espionage campaign is targeting cloud environments across the Middle East, with attackers attempting to compromise enterprise accounts using password-spraying techniques. Researchers warn that the activity is primarily focused on organizations using Microsoft 365, particularly within government and critical infrastructure sectors.
Security analysts from Check Point Research report that the attacks have heavily targeted organizations in Israel and the United Arab Emirates, with municipal institutions experiencing the highest volume of login attempts.
Structured Three-Phase Attack Cycle
The campaign follows a disciplined three-stage methodology designed to evade detection while gaining access to cloud tenants.
1. Scanning Phase – Password Spraying
Attackers launch large-scale password-spraying attempts across hundreds of organizations. Instead of targeting a single account repeatedly, they test common passwords across many accounts to avoid lockouts.
To conceal their activity, the threat actors:
- Route traffic through Tor exit nodes
- Rotate IP addresses continuously
- Use a user-agent string mimicking Internet Explorer 10
- Spread login attempts over time to avoid detection
This approach helps them bypass basic brute-force protections.
2. Infiltration Phase – Geo-Restriction Evasion
Once valid credentials are discovered, attackers attempt to bypass geographic security controls. They use commercial VPN providers such as NordVPN and Windscribe, selecting servers located within targeted regions.
By appearing to log in from local IP addresses, the attackers evade geo-fencing policies that would normally flag foreign access attempts.
3. Exfiltration Phase – Silent Data Access
With authenticated access, attackers enter compromised Microsoft 365 accounts and begin collecting sensitive information. Activities include:
- Reading internal emails
- Monitoring communications
- Downloading documents
- Accessing shared cloud storage
Because the login appears legitimate, this stage can persist undetected.
Attribution to Iran-Linked Threat Actors
Check Point Research attributes the campaign to Iran-linked operators with moderate confidence. The targeting aligns with geopolitical interests, focusing on:
- Municipal governments
- Aviation organizations
- Energy sector companies
- Maritime operations
The techniques resemble those used by the Iranian threat group Gray Sandstorm, known for leveraging Tor networks and credential-based attacks for cyber espionage.
How Organizations Can Protect Microsoft 365 Environments
Security teams should strengthen defenses against password-spraying attacks using layered protections:
- Enforce multi-factor authentication for all users
- Monitor sign-in logs for distributed failed login attempts
- Block Tor exit nodes via conditional access policies
- Restrict login attempts from unapproved locations
- Enable detailed audit logging for post-login activity
- Apply stronger password policies across tenants
Credential-based attacks remain highly effective because they exploit weak authentication controls rather than software vulnerabilities. Organizations relying on cloud identity platforms must treat login monitoring and MFA enforcement as critical security priorities.
