What Happened
Check Point Research published its analysis of a coordinated password-spraying campaign against Microsoft 365 environments, attributing it with high confidence to an Iran-nexus threat actor. The campaign ran in three distinct waves on March 3, March 13, and March 23, 2026, targeting organisations across Israel, the UAE, Europe, the United States, the United Kingdom, and Saudi Arabia.
Password spraying is a credential attack technique in which a threat actor attempts a small set of commonly used or weak passwords against a large number of accounts, avoiding the account lockout thresholds triggered by traditional brute-force attacks. The technique is effective against organisations that have not enforced strong password policies or implemented phishing-resistant multi-factor authentication (MFA) across all accounts.
The targeted sectors included government entities, municipalities, energy organisations, technology companies, and transportation operators. More than 300 organisations in Israel and over 25 in the UAE were directly affected. After acquiring valid credentials, the attackers authenticated from VPN exit nodes geolocated in Israel using Windscribe and NordVPN IP address ranges, a deliberate effort to evade geography-based access controls and blend into expected authentication traffic for the target organisations.
Iran-linked groups including Peach Sandstorm and Gray Sandstorm — both affiliated with the Islamic Revolutionary Guard Corps — are known users of this technique for initial access into M365 environments. The Hacker News | Check Point Research
Why This Matters for Canadian Organizations
Password-spraying campaigns against M365 do not stay geographically contained. The same credential lists, infrastructure, and techniques used in Middle Eastern operations migrate to Western targets when threat actors expand their collection priorities or receive new tasking. Iran-linked actors already have a documented history of targeting Canadian and allied government, energy, and critical infrastructure sectors.
Canadian government departments, Crown corporations, energy utilities, and technology firms are all operating Microsoft 365 environments. Many have mixed authentication postures — phishing-resistant MFA enforced on some accounts but not all, legacy authentication protocols left enabled for operational compatibility, or conditional access policies with gaps that VPN-based logins circumvent. Any one of these gaps is an entry point for a password-spraying campaign using the same playbook documented here.
The use of commercial VPN infrastructure to spoof geolocation also undermines a common compensating control: blocking or flagging logins from unexpected countries. When the attacker’s authentication request appears to originate from the target country, geofencing policies provide no protection.
Under Canada’s PIPEDA obligations and the Treasury Board’s requirements for federal institutions, M365 tenants handling personal or protected information must maintain audit logs and report breaches that create real risk of significant harm. An M365 account compromise giving access to sensitive government correspondence or personal data held in SharePoint or Exchange clearly meets this threshold.
What to Do
Enforce phishing-resistant MFA — hardware security keys or certificate-based authentication — on all M365 accounts with access to sensitive data. Standard SMS and authenticator app MFA does not protect against advanced adversary-in-the-middle phishing, though it does raise the cost of basic password spray attacks.
Disable legacy authentication protocols in M365 tenants. Basic Auth, POP3, IMAP, and SMTP AUTH are common spray entry points that bypass MFA entirely. Use Microsoft Entra’s authentication methods policies to block these protocols across all users.
Audit Conditional Access policies for gaps that permit logins from commercial VPN ranges. Review the Windscribe (185.191.204.x) and NordVPN (169.150.227.x) IP ranges specifically identified by Check Point, and assess whether your current access policies log or block authentication from these providers.
Review M365 sign-in logs for the March 3, 13, and 23 campaign waves. Indicators of compromise include failed password attempts across multiple accounts from the same IP ranges, followed by successful authentication from VPN-geolocated addresses. Engage incident response procedures if successful logins are identified from these ranges during the campaign period.
