A previously unknown attack group, likely linked to the Iranian government, has carried out a massive password spread campaign against Office 365 enterprise implementations, targeting defense industry companies in the United States and in Israel, as well as some transport companies in the Persian Gulf.
Microsoft identified the group, which it calls DEV-0343, in July and researchers said the O365 campaign was targeting more than 250 tenants, of which fewer than 20 were actually compromised. The campaign uses a large number of IP addresses on the Tor network, and attackers typically emulate the Mozilla Firefox browser to perform the password spray operation. Among the companies targeted by the campaign are companies that work specifically to produce military radar systems, drones, satellite systems and emergency response systems.
“Another activity targeted clients in Geographic Information Systems (GIS), spatial analysis, regional ports of entry in the Persian Gulf and several shipping and freight companies focused on the Middle East.” Microsoft researchers said in a statement. campaign analysis.
The group is newer, hence Microsoft’s designation DEV, or in development, and researchers have not conclusively identified it. But the targeting and behavioral patterns have led the researchers to conclude that the group is acting in the best interests of the Iranian government.
“This activity probably supports the national interests of the Islamic Republic of Iran on the basis of a lifestyle analysis, extensive intersection of geographic and sectoral targeting with Iranian actors and alignment of techniques and targets with another player from Iran, âthe researchers mentioned.
âMicrosoft believes this targeting supports the Iranian government’s monitoring of opposing security services and shipping in the Middle East. “
âMicrosoft believes this targeting supports the Iranian government’s monitoring of opposing security services and shipping in the Middle East to improve their contingency plans. Access to commercial satellite imagery and exclusive expedition plans and logs could help Iran offset the expansion of its satellite program. Given Iran’s past cyber and military attacks on maritime and maritime targets, Microsoft believes this activity increases the risk to companies in these industries, and we encourage our customers in these industries and geographies to review the information shared. in this blog to defend themselves. of this threat.
As part of the attack campaign, DEV-0343 actors target dozens or hundreds of O365 accounts in a given organization and typically attack Autodiscover and ActiveSync endpoints. Attack activity typically peaks between 4 a.m. and 11 a.m. UTC, MIcrosoft said, and O365 accounts with multi-factor authentication enabled were not compromised in password spray attacks.