Skip to main content

Microsoft says hackers linked to Iran targeted U.S. and Israeli defense companies

Microsoft logo
Microsoft logo (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • Microsoft discovered threat actors targeting U.S. and Israeli defense technology companies and global maritime transportation companies.
  • The attack utilized password spraying against more than 250 Office 365 tenants.
  • Microsoft claims that the activity "likely supports the national interests of the Islamic Republic of Iran."

Microsoft released its Digital Defense Report last week. That report focused largely on activities from China, Russia, North Korea, Iran, and other countries. This week, Microsoft issued an advisory (opens in new tab) on malicious activity that it believes "likely supports the national interests of the Islamic Republic of Iran."

Threat actors focused their efforts on U.S. and Israeli defense technology companies and global maritime transportation companies, according to Microsoft. Attackers utilized password spraying against more than 250 Office 365 tenants. Less than 20 of the targeted tenants were compromised by the attack.

Microsoft did not directly implicate the Iranian government in its report. Instead, it stated that the activity likely supports the interests of Iran:

This activity likely supports the national interests of the Islamic Republic of Iran based on pattern-of-life analysis, extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran. Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans.

Microsoft first observed the activity and started tracking it in July 2021. Microsoft believes this attack increases the risk of companies in the maritime and shipping sectors. The company points towards Iran's past cyber and military attacks against these types of organizations. It adds that "gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program."

A set of recommended defenses is listed in Microsoft's blog post, including enabling multifactor authentication and moving to passwordless solutions, such as Microsoft Authenticator.

John Lambert, head of Microsoft Threat Intelligence Center, told CNN (opens in new tab) that the goal of releasing the information is to help organizations prepare for follow-up attacks. Lambert explained that threat actors could use information stolen in previous attacks to break into networks.

Sean Endicott
Sean Endicott

Sean Endicott is the news writer for Windows Central. If it runs Windows, is made by Microsoft, or has anything to do with either, he's on it. Sean's been with Windows Central since 2017 and is also our resident app expert. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com.

4 Comments
  • I don't mean to be crass, a non political title would have been better. Secondly, it looks like authentication and passwordless authentication are just window dressing for a political article. Which is not the scope of "windows central”.
  • "Non-political title." Do you consider simply naming countries and national entities as inherently political? And is impartially citing a Microsoft report not within the purview of a site that almost exclusively discusses Microsoft's findings and activities? As much as I love the comments, this sort of rocket-scientist-tier input almost makes me envious of kinja's system.
  • The title really isn't "political." Secondly, it's also kind of pointless when people try to label something as political or not when things don't exist in vacuums separate from each other. The huge controversy of players kneeling during US football games was one of many examples where people had this pointless argument about politics in sports.
  • Do you think Microsoft's report is not newsworthy to Windows Central, an outlet focused on Microsoft? If not, why not? Do you think it's normal and not noteworthy for countries to be cyber-attacking others? If so, why? Do you not notice how these attacks overwhelmingly come from a handful of authoritarian countries, and target democracies? If you can credibly tell a different story, let us all know.