Microsoft said it is tracking what it believes is an Iran-based threat actor that has been observed conducting “extensive password spraying” against more than 250 organizations, including U.S. and Israeli defense technology firms.
Other targets include points of entry in the Persian Gulf or global maritime transportation companies that do business in the Middle East. Since the targets are companies that support Iran’s geopolitical adversaries and are also frequently targeted by Iranian actors, Microsoft believes this activity is originating in Iran.
Microsoft has affixed the title DEV0-0343 to this threat activity cluster so it allows the company’s Threat Intelligence Center to track it as a unique set of information until they can reach high confidence about the origin or identity of the actor.
According to a security blog, less than 20 of the 250 Office 365 tenants have been successful compromised, but the group continues to evolve and refine their attacks.
Specifically, the attacks are targeting the U.S., Israeli and European Union defense companies that produce military-grade radars, drone technology, satellite systems and emergency response communication systems.
Because of those targets, Microsoft believes the activity supports Iran’s government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans, the company said.
“Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program,” Microsoft said. “Given Iran’s past cyber and military attacks against shipping and maritime targets, Microsoft believes this activity increases the risk to companies in these sectors, and we encourage our customers in these industries and geographic regions to review the information shared in this blog to defend themselves from this threat.”
According to the blog, the password sprays emulate a Firefox browser via Ips hosted on a Tor proxy network, and are most active between Sunday and Thursday between 7:30 a.m. and 8:30 p.m. Iran Time.
Up to hundreds of accounts within a single organization are targeted, and an average of between 150 and 1,000 unique Tor proxy IP addresses are used in these attacks.
To defend against this attack and similar password sprays, Microsoft advises enabling multifactor authentication on all Office 365 accounts or using passowordless solutions like Microsoft Authenticator.
The company also suggests reviewing and enforcing recommended Exchange Online access policies and blocking all incoming traffic from anonymizing services where possible.