The timing was anything but coincidental. On three separate days in March – the 3rd, 13th, and 23rd – while missile strikes rained down on Israeli cities from Iranian-backed forces, a different kind of assault was unfolding silently in the cloud.
An Iran-linked threat actor was systematically hammering Microsoft 365 login portals across the Middle East, using a crude but effective technique called password spraying. They weren’t guessing random passwords. They were trying the most common ones – think Spring2025 or Password123 – across thousands of accounts, waiting for one to crack.
And hundreds did.
According to fresh research from Check Point’s threat intelligence team, which I’ve reviewed ahead of publication, the campaign breached more than 300 organizations in Israel and over 25 in the United Arab Emirates. Smaller numbers of targets in Saudi Arabia, Europe, the United Kingdom, and the United States were also hit.
But here’s what makes this campaign chillingly strategic: the targets weren’t random.
A Campaign Synchronized with Kinetic Warfare
The attackers focused heavily on municipalities, local government bodies responsible for emergency response, infrastructure repair, and what military analysts call Bombing Damage Assessment (BDA). In plain language: the same agencies that would document and respond to physical missile damage.
Check Point researchers noted a “correlation between the targets of this campaign and cities that were targeted by missile attacks from Iran during March.”
Think about that for a moment.
While air defense systems tracked incoming projectiles, digital intruders were simultaneously trying to break into the very cloud systems those cities use to coordinate their response. The goal appears to have been situational awareness, understanding exactly what got hit, how bad the damage was, and whether response efforts were succeeding.
This isn’t speculation. It’s the logical conclusion when you overlay missile impact maps with password spray logs.
Why Password Spraying Still Works in 2025
Password spraying is not sophisticated. It’s not zero-days or AI-powered exploits. It’s simply the digital equivalent of trying 10 common keys on 1,000 doors.
But it works because humans remain the weakest link.
According to cybersecurity training experts at Saintynet Cybersecurity, organizations across the Middle East and Africa continue to struggle with basic identity hygiene. “We still see Admin123, CompanyName2024, and seasonal passwords like March2025 in production environments,” a senior consultant told me. “Attackers know this. They don’t need zero-days. They need one lazy password.”
The Iran-linked actor understood this perfectly. Their three waves – March 3, March 13, and March 23 – were spaced to avoid triggering account lockouts while maximizing coverage.
Who Got Hit? And Why It Matters
The victim list reads like a critical infrastructure directory:
- Municipalities (primary target) : for BDA and response coordination
- Government entities : for policy and intelligence visibility
- Energy sector organizations : to understand grid vulnerabilities during conflict
- Private sector companies : likely opportunistic or supply-chain focused
The geographic focus was unmistakably Middle Eastern, with Israel and the UAE absorbing the overwhelming majority of successful breaches. But the presence of targets in Europe, the UK, and the US should concern global security teams.
If an Iran-linked actor is willing to hit Western targets in a campaign tied to Middle East kinetic operations, no cloud environment is truly out of scope.
The Bigger Picture: Cyber as an Extension of Warfare
We’ve moved past the era where cyber operations were separate from physical conflict.
This campaign explicitly supported kinetic operations – military strikes. The attackers weren’t after credit cards or intellectual property. They wanted real-time damage assessment to inform the next missile wave.
That’s a terrifying escalation.
As one former intelligence officer told me, “When a nation-state can breach your municipality’s cloud tenant within hours of a missile strike, they’re not just attacking your territory. They’re attacking your ability to respond, recover, and report.”
For readers across the Middle East and Africa, this is not abstract. From Lagos to Riyadh, from Nairobi to Abu Dhabi, government cloud environments are prime targets. And password spraying is the easiest way in.
10 Urgent Actions for Security Teams
Based on this campaign and my conversations with incident responders, here’s what every organization should implement immediately:
- Enforce phishing-resistant MFA – Password spraying fails against FIDO2 keys or certificate-based authentication. SMS and push notifications can still be bypassed.
- Audit all Microsoft 365 sign-in logs – Look for failed login attempts from unusual IP addresses, especially around weekends or holidays when spraying often occurs.
- Block legacy authentication protocols – IMAP, POP3, and SMTP don’t support MFA. Attackers love them. Turn them off.
- Implement conditional access policies – Restrict logins by geographic region, device compliance, and risk score. No one from outside your country needs to access your municipality’s cloud at 3 AM.
- Use password blocklists – Azure AD Password Protection can block common passwords and custom keywords (like your city name or
Spring2025). - Train users on password hygiene – This isn’t “awareness theater.” Real training from providers like Saintynet Cybersecurity changes behavior. Repeating
123456across accounts is a national security risk. - Monitor for impossible travel alerts – A login from Dubai and then New York ten minutes apart is impossible. Your SIEM should flag it instantly.
- Deploy a cloud access security broker (CASB) – CASBs can detect and block anomalous login patterns that traditional tools miss.
- Conduct regular red team exercises – Simulate password spraying yourself. See who breaks. Fix them before the real adversary does.
- Establish an incident response playbook for cloud compromise – If an attacker gets in via password spray, do you know how to evict them? If not, build that playbook this week.
What This Means for the Middle East and Africa
For MEA-based organizations, this campaign is a wake-up call.
The UAE and Saudi Arabia were directly targeted. But the threat actor’s success suggests they’ll expand. African governments rapidly adopting Microsoft 365 – from Kenya to Nigeria to South Africa – are equally vulnerable.
The difference is visibility. Israeli organizations had Check Point hunting for them. Does your country have that level of cloud threat hunting?
If not, it’s time to partner with cybersecurity training and awareness providers who understand the regional threat landscape. Generic global guidance won’t stop an Iran-linked actor targeting your municipality’s damage assessment systems.
A Final Word
This campaign wasn’t about data theft or ransomware. It was about information advantage in active conflict.
The attackers wanted to see what the Israelis saw after each missile wave. They wanted to know which buildings collapsed, which roads were impassable, which response teams were mobilized.
And they used password spraying – the most basic attack in the book – to get it.
That should terrify every security professional reading this.
We spend billions on endpoint detection, AI firewalls, and zero-trust architectures. But if one municipal employee uses CityHall2025 as their password, none of it matters.
The fix isn’t more technology. It’s better hygiene, enforced MFA, and continuous training.
Because the next missile wave is coming. And the password spray will arrive with it.
