Netcrook Logo
👤 TRUSTBREAKER
🗓️ 06 Apr 2026   🌍 Middle-East

Inside Iran’s Digital Barrage: Password-Spraying Attacks Hit Israel and UAE Amid Regional Tensions

Iranian cyber operatives ramp up sophisticated password-spraying campaigns targeting critical infrastructure across the Middle East, blending digital and physical conflict.

As missiles rained down in the Middle East this March, a quieter but equally insidious assault unfolded behind the scenes. While cities braced for physical impact, government agencies and energy firms in Israel and the United Arab Emirates faced a barrage of cyberattacks, orchestrated not with explosives, but with weak passwords and relentless automation. Recent research by Check Point has uncovered a campaign that reveals how modern warfare now seamlessly merges the kinetic and the digital.

Fast Facts

  • Multiple password-spraying waves from Iran-linked actors targeted Israeli and UAE government and energy sectors in March 2024.
  • Attackers exploited Microsoft 365 cloud environments, focusing on municipalities and critical infrastructure.
  • The campaign aligned with physical missile attacks, suggesting cyber operations were used for support and assessment.
  • Threat actors used Tor and commercial VPNs to evade detection and geo-restrictions.
  • Check Point urges organizations to enforce multi-factor authentication and monitor for anomalous login patterns.

Check Point Research tracked a series of three distinct attack waves - on March 3, March 13, and March 23 - directed at Microsoft 365 accounts in Israel and the UAE. The primary targets? Municipalities that play a crucial role in responding to the aftermath of missile strikes. Investigators found a striking overlap between digital targets and cities physically attacked by Iranian missiles, pointing to a strategic effort to enhance real-time Bombing Damage Assessment (BDA) and disrupt emergency response.

Unlike brute-force attacks that hammer a single account with countless guesses, password spraying flips the script: attackers try a handful of weak, commonly used passwords across a large number of accounts, betting that at least one will let them in. The Iranian-linked group used a rotating arsenal of IP addresses - leveraging Tor exit nodes and VPNs from providers like Windscribe and NordVPN - to mask their origins and sidestep geo-blocks. Cleverly, their digital fingerprints mimicked outdated browsers, further muddying the trail.

Once inside, attackers moved swiftly. Compromised credentials granted access not just to email but to sensitive documents and internal communications. The use of commercial VPNs geolocated in Israel allowed them to blend in with legitimate traffic, making detection even more challenging. Analysis points to similarities with known Iranian groups like Gray Sandstorm and Peach Sandstorm, notorious for their stealthy use of red-team tools and infrastructure repurposed for espionage.

The implications stretch far beyond the Middle East. Check Point warns that such tactics - supercharged by automation and artificial intelligence - are redefining the global threat landscape. Password-based attacks now operate at industrial scale, with thousands of attempts per week becoming the norm for high-value targets across North America, Europe, and beyond. As ransomware crews and nation-state actors pivot to “log in rather than break in,” exploiting stolen credentials has become the preferred method of infiltration.

To counter these threats, experts advocate for layered defenses: multi-factor authentication, vigilant log monitoring, and strict geo-fencing. Yet as adversaries grow bolder and more automated, the race between attackers and defenders is only accelerating.

The latest Iranian password-spraying wave is a stark reminder: in the age of hybrid conflict, a city’s digital defenses are as critical as its physical ones. As the line between cyber and kinetic warfare blurs, organizations must fortify every front - or risk being caught in the crossfire.

WIKICROOK

  • Password Spraying: Password spraying is a cyberattack where a few common passwords are tried across many accounts to avoid detection and bypass account lockout mechanisms.
  • Tor Exit Node: A Tor exit node is the last relay in the Tor network, forwarding user traffic to the public internet and masking the user's IP address.
  • Multi: Multi refers to using a combination of different technologies or systems - like LEO and GEO satellites - to improve reliability, coverage, and security.
  • Bombing Damage Assessment (BDA): Bombing Damage Assessment evaluates the effectiveness and impact of a military or cyber strike, informing future operations and strategic decisions.
  • Red: Red refers to cybersecurity experts who simulate attacks on systems to find and fix vulnerabilities before real hackers exploit them.
Iran cyberattacks password spraying Middle East tensions
TRUSTBREAKER TRUSTBREAKER
Zero-Trust Validation Specialist
← Back to news