Cybersecurity Threats Emanating from Iran: A Growing Concern
A significant cybersecurity threat linked to Iranian actors has emerged, with reports suggesting a password-spraying campaign actively targeting Microsoft 365 environments in Israel and the United Arab Emirates (U.A.E.) amidst the ongoing geopolitical conflict in the Middle East. The attacks, which reportedly impacted over 300 organizations in Israel and more than 25 in the U.A.E., unfolded in three separate waves on March 3, March 13, and March 23, 2026, according to analysis provided by Check Point, a prominent Israeli cybersecurity firm.
Check Point disclosed that the campaign’s main focus remained on organizations within Israel and the U.A.E., but similar activity from the same threat actor was noted against a small number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia. Various sectors, including government entities, municipalities, technology firms, transportation, energy organizations, and private companies, appear to have been targeted in these sophisticated cyber operations.
Password spraying, the method employed in this campaign, is a more efficient form of brute-force attack, wherein cybercriminals attempt to access multiple usernames using a single, commonly-used password. This technique allows attackers to find weak credentials without raising suspicion or triggering defenses designed to limit login attempts from the same account. Such tactics have previously been associated with Iranian hacking groups like Peach Sandstorm and Gray Sandstorm in their prior infiltration of various networks.
The execution of the campaign consists of three primary phases: initial aggressive scanning or password spraying via Tor exit nodes, followed by attempts to log in, and finally, the exfiltration of sensitive data, including mailbox contents. Check Point noted striking similarities between recent attacks and those attributed to the Gray Sandstorm group, specifically regarding the use of red-team tools and Tor exit nodes. The attackers utilized commercial VPN services linked to AS35758, which corresponds with recent Iranian cyber operations in the region.
In light of this escalating threat, organizations are urged to adopt defensive measures against potential password spraying attacks. Suggested steps include closely monitoring sign-in logs for unusual activity, implementing conditional access controls to restrict authentication to approved geographical areas, enforcing multi-factor authentication (MFA) for all users, and enabling audit logs to facilitate investigations after potential breaches.
The Resurgence of Pay2Key Operations
The emerging threat landscape reveals not only the password-spraying campaign but also a resurgence of activities by the Iranian ransomware group known as Pay2Key. This group, suspected to maintain ties to the Iranian government, was involved in targeting a U.S. healthcare organization in late February 2026. Pay2Key operates as a ransomware-as-a-service (RaaS) entity, first gaining notoriety in 2020 and having ties to the Fox Kitten group.
The ransomware variant utilized during the recent attack has been identified as an upgraded version of those previously observed in July 2025. Enhanced evasion, execution, and anti-forensics techniques characterize this new wave of attacks. According to cybersecurity experts from Beazley Security and Halcyon, data exfiltration was notably absent during this incident, signaling a departure from the group’s earlier tactics which often involved double extortion.
The attack strategy appeared to exploit a legitimate remote access tool, such as TeamViewer, to initially breach the organization. From that foothold, credentials were harvested to allow lateral movement throughout the network. Notably, the attackers disarmed Microsoft Defender Antivirus by falsely indicating that a third-party antivirus system was in effect. Consequently, they deployed ransomware, issued a ransom note, and meticulously cleared logs to obscure their digital footprint.
Halcyon emphasized that clearing logs at the end of the execution cycle—rather than at the beginning—ensures that even the activity of the ransomware itself is deleted, making post-attack investigations further challenging. Alongside this tactical shift, Pay2Key has altered its operational model by offering affiliates an 80% share of any ransom proceeds (a rise from the previous 70%), further incentivizing attacks against entities perceived as adversaries of Iran.
In early March 2026, it was disclosed that operators affiliated with the Sicarii ransomware group were transitioning to the use of a new ransomware variant known as Baqiyat 313 Locker (BQTlock) due to an increase in requests from pro-Iranian affiliates. This new strain has allegedly targeted entities in the U.A.E., the United States, and Israel since July 2025.
Cybersecurity experts note that Iran has long employed cyber warfare as a retaliatory tactic against perceived political threats. The line between criminal ransomware campaigns and state-sponsored cyber-sabotage has been increasingly blurred, with operations now infused with indiscriminate ransomware tactics designed to undermine opponents.
As this trend of heightened cyber threats continues to evolve, it becomes imperative for organizations in and beyond the Middle East to reinforce their cybersecurity measures and remain vigilant against the dynamic and emerging tactics adopted by these state-sponsored actors.