Huge password‑spray wave

A cheap cyberattack is hitting expensive targets. Check Point Research said an Iran-linked actor ran three password-spraying waves against Microsoft 365 accounts on March 3, March 13, and March 23, 2026, with more than 300 organizations in Israel and more than 25 in the United Arab Emirates affected. (blog.checkpoint.com) Password spraying is the online version of trying the same house key on every door in a neighborhood. Instead of hammering one account with thousands of guesses, attackers try a small list of common passwords across many accounts so they avoid lockouts and blend into normal sign-in noise. (learn.microsoft.com) Microsoft 365 is a tempting target because one stolen cloud login can open email, files, calendars, Teams chats, and admin panels from the same identity. That makes the user account the front door, so attackers do not need a software bug if a weak password already gives them a path inside. (learn.microsoft.com) Multi-factor authentication is the second lock on that front door. Microsoft says security defaults in Microsoft Entra Identity include requiring users to register for multi-factor authentication and blocking legacy authentication protocols, because identity attacks like password spray still work when those basics are missing. (learn.microsoft.com) That is why this campaign stands out. Check Point said the attackers did not lead with malware or a zero-day software exploit, and instead used repeated login attempts against cloud tenants, mainly in Israel and the United Arab Emirates, plus a smaller set of targets in Europe, the United States, the United Kingdom, and Saudi Arabia. (blog.checkpoint.com) The heaviest focus was not banks or consumer apps. Check Point said municipalities were the main target, alongside government, energy, and private-sector organizations, and Cybersecurity Dive reported that city governments may have been singled out because they help handle the aftermath of missile strikes. (blog.checkpoint.com) (cybersecuritydive.com) The timing is part of the story. Cybersecurity Dive reported that Check Point saw a correlation between the cities targeted online and cities hit by Iranian missile attacks during March 2026, which led the researchers to assess that the intrusions may have supported bombing damage assessment. (cybersecuritydive.com) (blog.checkpoint.com) The mechanics were simple and slippery at the same time. Check Point said the scans came from frequently changing Tor exit nodes and used a browser label that pretended to be Internet Explorer 10, which makes blocking by one internet address less useful because the source keeps moving. (blog.checkpoint.com) Check Point said it had moderate confidence the activity was tied to Iran-linked operators, partly because Microsoft 365 log patterns resembled Gray Sandstorm, a known Iran-linked group that has used password spraying before. (cybersecuritydive.com) (blog.checkpoint.com) This is the uncomfortable lesson for defenders. A broad, low-cost credential attack can still beat a well-funded organization if even a small slice of users keep weak passwords or never enroll in multi-factor authentication. (learn.microsoft.com 1) (learn.microsoft.com 2) The first response is not a hunt for a mystery exploit. The first response is to check sign-in logs for bursts of failed attempts across many users, force password resets where exposure is suspected, block legacy authentication, and verify that every account is covered by multi-factor authentication or conditional access rules. (learn.microsoft.com 1) (learn.microsoft.com 2) The bigger shift is what this attack says about modern cyber conflict. The flashy headline in 2026 is still often a missile, but the practical foothold is increasingly a recycled password in a cloud tenant that somebody forgot to harden. (cybersecuritydive.com) (blog.checkpoint.com)