Iranian Threat Actor Conducting Password Spraying Attacks on Defense Companies

An Iranian threat actor is conducting a password spraying campaign targeting the Office 365 accounts of U.S. EU, and Israeli defense companies.

Microsoft’s Threat Intelligence Center (MSTIC) first identified the campaign in late July and attributed the attacks to the Iran-linked DEV-0343 group. DEV-0343 has conducted more than 250 attacks on Office 365 tenants in that time, most of which have been conducted on US and Israeli defense technology companies. Those companies produce military equipment such as radars, drone technology, satellite systems, and emergency response communication systems. The group has also targeted Persian Gulf ports of entry and global maritime transportation companies operating in the Middle East. Microsoft says fewer than 20 of the attacks have been successful.

Password spraying is a brute force attack where repeated attempts are made to guess weak passwords. The attacks are automated, and often occur slowly over time to avoid detection and prevent account lockouts. To speed up attacks and avoid countermeasures implemented to block the attacks, it is common for a password to be used across many different accounts at the same time before moving on to another password. These attacks involve lists of commonly used passwords and passwords obtained in previous data breaches.

Successful password spraying attacks on Office 365 tenants can result in the attackers gaining access to the targeted organizations entire resources and employee user accounts. Microsoft believes the attacks are being conducted to provide the Iranian government with tracking data for adversary security services and maritime shipping in the Middle East to enhance its contingency plans. Microsoft suggests commercial satellite imagery and proprietary shipping plans and logs could be sought to help Iran compensate for its developing satellite program.

Microsoft says DEV-0343 has been emulating a Firefox browser and using IP addresses hosted on the Tor network to hide the identity and origin of the access attempts. Dozens to hundreds of accounts are targeted by the group, depending on the size of the targeted company, and each account is enumerated from dozens to thousands of times. “On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization,” said Microsoft.

These attacks succeed due to poor password practices, such as the reuse of passwords for multiple accounts. When there is a data breach, passwords are uploaded to the password lists used in password spraying attacks. The use of commonly used passwords such as 12345678 makes these attacks much likelier to succeed.

Password generators can be used to generate unique, strong passwords that meet an organization’s required level of complexity. Since remembering multiple complex passwords is difficult, companies should consider using a password management solution. These solutions store passwords securely and only require a user to remember one password to access their vault.

In addition to setting strong passwords, it is important to enable multi-factor authentication on Office 365 accounts. If a password is correctly guessed, access to the account will only be provided if the attacker also provides an additional method of identification, such as a one-time access code sent to the user’s phone. Microsoft says multi-factor authentication blocks in excess of 99.9% of account compromise attempts.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of