Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo
Dive Brief

Iran-linked actors target Middle Eastern city governments to undermine missile-strike responses

The password-spraying campaign is the latest evidence that Iran is hitting back in cyberspace.

Published April 1, 2026
Eric Geller's headshot
Senior Reporter
a set of missiles sit on their launches with Iranian flags in the background
Missiles produced by Iran's armed forces are displayed near a row of Iranian flags on Feb. 11, 2026, in Tehran. A new report connects Iranian cyberattacks and missile attacks. Majid Saeedi/ via Getty Images

Hackers associated with the Iranian government are trying to make it harder for cities in Israel and the Gulf states to respond to Iranian missile strikes by disrupting their Microsoft 365 platforms, according to a new report.

The attacks, which took place on three separate occasions in March, primarily targeted organizations in Israel (more than 300 targets) and the United Arab Emirates (approximately 25 targets), researchers at the Israeli cybersecurity firm Check Point Software Technologies said on Wednesday.

Municipal governments were the most common target, which Check Point said could be because of their role in responding to the aftermath of Iranian missile strikes. Iran has launched thousands of missiles and drones at Israel and other U.S. allies in the Middle East since the beginning of the war with the U.S. and Israel on Feb. 28.

“We observe some correlation between the targets of this campaign to cities that were targeted by missile attacks from Iran during March,” Check Point researchers wrote. “This suggests the campaign was likely intended to support kinetic operations and Bombing Damage Assessment (BDA) efforts.”

The hackers also targeted organizations in the energy, transportation and technology sectors, and a few of their targets were in the U.S., the U.K., Europe and Saudi Arabia, according to the report.

Check Point said it had moderate confidence that the campaign was the work of Iran-linked operatives, based in part on the nature of the targets and in part on M365 log data showing similarities to the Iran-linked group Gray Sandstorm.

The password-spraying attacks are the latest malicious cyber activity that researchers have attributed to Iran since the war began, following attacks on the medical-device vendor Stryker, an unnamed U.S. healthcare provider and the defense contractor Lockheed Martin.

Iran’s trademark tactic

The campaign used brute-force attacks on organizations’ login portals in repeated attempts to access systems with weak and common passwords. This password-spraying technique is a favorite initial access method of Iran-linked threat actors; Check Point said it’s seen at least two groups use it in the past.

The hackers used Tor during their initial login attempts and other VPNs during the full infiltration process after a successful login, making it harder to block their intrusions using static detection methods.

Advice to defenders

To block password-spraying attacks, Check Point urged organizations to review sign-in logs, enforce multifactor authentication, require strong passwords, enable audit logs and restrict where users can log in from, including through geofencing and Tor IP address bans.

Monitoring sign-in logs can help organizations “identify password spray behavior patterns,” Check Point said, “specifically multiple authentication failures across many distinct user accounts originating from the same source IP.”

Microsoft’s website also provides advice to organizations investigating possible password-spraying attacks.

Editors' picks

Company Announcements

View all | Post a press release
BrandShield Expands Brand and Digital Risk Protection to AI Platforms, Where Millions of Consu…
From BrandShield
April 01, 2026
BrandShield logo
CyberFOX AutoElevate Named a High Performer in G2’s Spring 2026 Report for Privileged Access M…
From CyberFOX
April 01, 2026
CyberFOX logo
2026 Resilience Risk Index Reveals that Endpoint Security Software Fails More Than 20 Percent …
From Absolute Security
March 24, 2026
AI Is Fueling Secrets Sprawl. GitGuardian Reports an 81% Surge of AI-Service Leaks as 29M Secr…
From GitGuardian
March 17, 2026
GitGuardian logo
Editors' picks
Latest in Breaches
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell