Iran-linked threat actors target Office 365 clients of US and Israeli military technology businesses in large-scale password spraying operations.
Password spray attacks aim to brute-force accounts by simultaneously employing the same passwords across numerous accounts, allowing threat actors to disguise unsuccessful efforts by using various IP addresses.
It allows them to bypass automatic protections such as password lockout and malicious IP blocking, both of which are meant to prevent numerous failed login attempts.
Researchers at Microsoft Digital Security Unit (DSU) and Microsoft Threat Intelligence Center (MSTIC) have been tracking the activity cluster since late July and have given it the temporary name DEV-0343.
According to Microsoft, this continuous harmful behavior aligns with Iranian national objectives since it uses tactics and targets similar to those used by another Iran-linked threat actor.
Based on the pattern-of-life analysis and substantial overlap in sectoral and geographic targets with other Iranian hacking organizations, DEV-0343 was also connected to Iran.
Microsoft says that defense firms that support the US, EU, and Israeli government partners providing military-grade radars, satellite systems, drone technologies, and emergency response communication systems have been targeted in this DEV-0343 action.
The ultimate objective of the DEV-0343 operators is to acquire access to commercial satellite images as well as private shipping plans and logs, which would be used to supplement Iran’s in-development satellite program.
Customers who have been targeted or hacked have been contacted directly by Microsoft, and they are given the information required to protect their accounts.
According to Microsoft, less than 20 targets have been compromised since the attacks began, which indicates that Office 365 accounts with multifactor authentication (MFA) enabled are resistant to DEV-0343’s password spray attempts.
DEV-0343 uses an enumeration/password spray tool to validate active accounts and enhance attacks against the Autodiscover and ActiveSync Exchange endpoints.
Microsoft further reveals that depending on the company’s size, they generally target dozens to hundreds of accounts and scan each account dozens to thousands of times. In cyberattacks against each company, an average of between 150 and 1,000 different Tor proxy IP addresses are employed.