Microsoft: Iranian hackers found Office 365 accounts ‘sprinkled with passwords’

Microsoft has recently revealed that a group of Iranian hackers has been attacking Office 365 accounts of various organizations and individuals using a technique called «password spraying.» Password spraying is a type of brute force attack that involves trying common passwords with multiple usernames in the hope of finding a match.

Unlike traditional brute-force attacks that test many passwords against one username, password spraying is less likely to result in account lockouts or security alerts.

According to Microsoft, Iranian hackers, nicknamed Phosphorus, have been conducting password spraying campaigns since September 2020, targeting accounts of government agencies, think tanks, journalists, activists, academics and other prominent figures.

Hackers have also used other methods to compromise accounts, such as phishing emails, credential theft and malware. Microsoft estimates that Phosphorus has attempted to access the accounts of about 25,000 people in 76 countries over the past year.

Microsoft alerted affected customers and provided guidance on how to protect their accounts. The company also recommended some best practices to prevent password distribution attacks, such as enabling multi-factor authentication (MFA), using strong and unique passwords, and monitoring login activity. Microsoft has also urged customers to report any suspicious or malicious activity to its security team.

Password spraying is not a new threat, but it is becoming more prevalent and sophisticated as hackers take advantage of the increased use of cloud services and remote work due to the COVID-19 pandemic. Organizations and individuals should be aware of the risks and take proactive steps to protect their online accounts and data.

Microsoft has issued an alert about a group of hackers, possibly affiliated with Iran, who have attempted to compromise Office 365 accounts by guessing passwords.

The hacks have targeted U.S., EU and Israeli defense companies working on «military-grade radar, drone technology, satellite systems and emergency response communications systems,» the company said in a blog post Monday.

Microsoft said the hacking group has been conducting these «password-spraying» attacks against 250 Office 365 «tenants.» These tenants include all of an organization’s resources, such as user accounts, that are hosted on a Microsoft cloud service.

A blog post about the Iranian hacking group DEV-0343 and its activities.

Microsoft has recently revealed that a hacking group linked to Iran has been attacking satellite imagery and maritime shipping companies in the Middle East. The group, which Microsoft calls DEV-0343, has been using password-spraying attacks to compromise employee email accounts and gain access to sensitive information.

Password spraying attacks are a type of brute-force attack that involves trying common passwords on a large number of email addresses. Attackers typically avoid triggering account lockouts by spreading the attempts over time and across different IP addresses. Microsoft says DEV-0343 has been using this technique since at least July 2020 and has targeted organizations in the U.S., U.K., Germany, India and United Arab Emirates.

According to Microsoft, DEV-0343’s primary objective is to support the Iranian government’s interests in the region, especially in the maritime domain. The group has been interested in obtaining commercial satellite imagery and proprietary shipping data that could help Iran monitor adversaries and plan contingencies. Microsoft notes that Iran has a developing satellite program that faces challenges such as U.S. sanctions and launch failures.

Microsoft warns that DEV-0343 is likely to continue its password spraying attacks and advises its customers to take preventative measures, such as enabling multi-factor authentication, using strong and unique passwords, and monitoring suspicious login attempts. Microsoft also offers threat protection services that can help detect and respond to such attacks.