What you need to know
- Microsoft discovered threat actors targeting U.S. and Israeli defense technology companies and global maritime transportation companies.
- The attack utilized password spraying against more than 250 Office 365 tenants.
- Microsoft claims that the activity "likely supports the national interests of the Islamic Republic of Iran."
Microsoft released its Digital Defense Report last week. That report focused largely on activities from China, Russia, North Korea, Iran, and other countries. This week, Microsoft issued an advisory on malicious activity that it believes "likely supports the national interests of the Islamic Republic of Iran."
Threat actors focused their efforts on U.S. and Israeli defense technology companies and global maritime transportation companies, according to Microsoft. Attackers utilized password spraying against more than 250 Office 365 tenants. Less than 20 of the targeted tenants were compromised by the attack.
Microsoft did not directly implicate the Iranian government in its report. Instead, it stated that the activity likely supports the interests of Iran:
This activity likely supports the national interests of the Islamic Republic of Iran based on pattern-of-life analysis, extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran. Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans.
Microsoft first observed the activity and started tracking it in July 2021. Microsoft believes this attack increases the risk of companies in the maritime and shipping sectors. The company points towards Iran's past cyber and military attacks against these types of organizations. It adds that "gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program."
A set of recommended defenses is listed in Microsoft's blog post, including enabling multifactor authentication and moving to passwordless solutions, such as Microsoft Authenticator.
John Lambert, head of Microsoft Threat Intelligence Center, told CNN that the goal of releasing the information is to help organizations prepare for follow-up attacks. Lambert explained that threat actors could use information stolen in previous attacks to break into networks.
