Skip to content

Iran-linked threat actors using password-spraying against US defense and tech companies

Posted by: GuidePoint Security

2 min read

Published 10/20/21, 9:00am

According to researchers at Microsoft, Iran-linked threat actors are targeting US defense and tech companies in a large-scale password spraying attack. 

Password-spraying is a type of brute-force hacking using the same password across multiple accounts simultaneously to avoid account lockouts and malicious IP blocking that normally occur when brute force is used with many passwords on a single account. 

Researchers at Microsoft have been tracking the threat since late July, naming it DEV-0343. More than 250 Office 365 tenants (organizations using Office 365) have been targeted, with an estimated 20 successful compromises. Microsoft experts warn, however, that the DEV-0343 threat actors are continuing to refine their attacks. Targets include defense companies developing military-grade radars, drone technology, satellite systems, and emergency response communication systems located in the United States, the European Union, and Israel. Additional threat activity is focused on businesses operating in geographic information systems (GIS), spatial analytics, ports of entry in the Persian Gulf, and maritime and cargo companies with a focus in the Middle East.

Microsoft believes this threat activity is happening to support the national interests of the government of Iran to gain “access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program.” 

Attacks are most active between Sunday and Thursday from 7:30 am to 8:30 pm, Iran time. Up to several hundred accounts within an Office 365 tenant are targeted during each attack, with password-spraying occurring up to several thousand times.

Observed behaviors include:

  • Extensive inbound traffic from TOR IP addresses
  • Emulation of Firefox or Chrome browsers
  • Enumeration of Exchange ActiveSync or Autodiscover endpoints
  • Use of Autodiscover to validate accounts and passwords

Next Steps

Experts advise that enabling multifactor authentication is the number one thing organizations can do to avoid becoming victims of password-spraying attacks. Additional protective measures include reviewing and enforcing Exchange Online access policies and blocking all incoming traffic from anonymizing services where possible. More information on this threat can be found on the Microsoft advisory.

Categories: Blog Cybersecurity

GuidePoint Security

The Brick House – Zero Trust
As more and more headline-making threats come from otherwise trusted sources, conversations naturally turn to questions like “Who should we actually trust?” The answer–according to Zero Trust principles–is inherently no one. Watch our candid conversation with Gary and our team of other security practitioners on the threats brought about by Zero Trust.
Watch Now

Related Articles

View All

  • Cloud Security
The Brick House – Zero Trust
Read More < 1 min read
  • Identity & Access Management
Delivering Business Value Through a Well-Governed Digital Identity Program
Read More < 1 min read
  • Blog
Never Trust, Always Verify – The New Identity and Access Management Paradigm
Posted by: GuidePoint Security
Read More 3 min read