Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations

A hacker who is thought to be connected to Iran is thought to be behind a campaign to spread passwords This article explores uae attacks linked. . The campaign mostly goes after Israel and the UAE, and it affects more than 300 businesses in Israel and almost 25 in the UAE.

There have also been attacks linked to the same actor against a small number of targets in Europe, the US, the UK, and Saudi Arabia. To lower this risk, companies should keep an eye on sign-in logs for signs of password spraying, use conditional access controls to limit authentication to certain geographic areas, require all users to use multi-factor authentication (MFA), and turn on audit logs for investigations after a breach.

Check Point Research says that the threat actor used commercial VPNs hosted at AS35758 (Rachamim Aviel Twito), which fits with what Iran has been doing in the Middle East recently. The attackers used a legitimate remote access tool, like TeamViewer, to get into the organization through an unknown access point. Halcyon said in March 2026 that Uke, the administrator of Sicarii ransomware, told pro-Iranian operators to use Baqiyat 313 Locker (BQTlock).

BQTLock has been going after the United Arab Emirates, the United States, and Israel since July 2025 because it wants to help Palestine. "Because Iran has a history of using cyber attacks to get back at people for political reasons, it is now more common to see ransomware used in these kinds of operations," Uke said.

Uke went on to say that these campaigns often cross the line between traditional criminal extortion and government-sponsored sabotage. It is not clear if pro-Israel or pro-Palestinian operators in the U.S. or Israel have used BQTock in the past. To get private help, call the Samaritans at 08457 90 90 90, go to a Samaritans branch near you, or click here for more information.