Iran-linked actors are targeting both U.S. critical infrastructure and Microsoft 365 tenants. For CISOs, that means tenant resilience is now part of operational risk—and hardening M365 can’t wait.
In this article
Iran-linked cyber activity in early 2026 shows that Microsoft 365 (M365) should now be treated as part of the broader operational risk surface. Recent OT disruption and M365 credential attacks are best understood as related threat signals, not a single coordinated campaign—but together they reinforce the same conclusion: cloud identity and administrative control planes are resilience concerns.
The reported M365 tradecraft (Tor-based spraying, VPN-based evasion of geo controls, and mailbox access) maps directly to well-known security gaps: weak MFA adoption, legacy authentication, inconsistent Conditional Access, overprivileged administration, and incomplete audit visibility. With CISA operating at reduced capacity, organizations may have less external support and more responsibility for validating their own posture. The priority now is disciplined execution: enforce phishing-resistant MFA, block legacy auth, strengthen Conditional Access, expand logging, reduce standing privilege, and improve recovery readiness across the tenant.
In early April 2026, U.S. federal agencies warned that Iranian-affiliated threat actors were actively disrupting programmable logic controllers across U.S. critical infrastructure. Around the same time, researchers documented a large password-spraying campaign against M365 tenants tied to Iranian threat activity. For CISOs, these events spotlight a strategic shift: adversaries are targeting both operational systems and the cloud identity layer that now underpins administration, communications, recovery, and control. These incidents should be read as concurrent evidence that both OT and cloud management layers are attractive targets – not necessarily as proven components of a single coordinated campaign.
That matters because for many organizations, M365 is now a core part of the management plane. If attackers can compromise Entra ID, Exchange Online, or Intune, they may not need bespoke malware to create real-world disruption. They can abuse the administrative tools the organization already trusts.
On April 7, 2026, the FBI, CISA, NSA, Department of Energy, EPA, and U.S. Cyber Command’s Cyber National Mission Force jointly issued advisory AA26-097A, warning that Iranian-affiliated advanced persistent threat actors had exploited PLCs across U.S. critical infrastructure. The advisory names affected sectors including government services and facilities, water and wastewater systems, and energy.
The advisory says victims experienced operational disruption and financial loss after attackers manipulated project files and data shown on HMI and SCADA systems. It also states that the activity affected Rockwell Automation / Allen-Bradley CompactLogix and Micro850 controller families and had been ongoing since at least March 2026.
The attribution in the advisory is deliberately careful. It refers to “Iranian-affiliated” APT actors and references activity similar to that associated with CyberAv3ngers / Shahid Kaveh Group, a threat actor linked to Iran’s IRGC Cyber Electronic Command. The takeaway is not to overclaim attribution – it is to recognize that the U.S. government is publicly confirming active disruptive operations by Iranian-linked actors inside critical infrastructure.
For CISOs outside OT-heavy sectors, that should still land close to home. The same threat ecosystem is also targeting cloud identity infrastructure.
On March 31, 2026, Check Point Research published details of a three-wave password-spraying campaign targeting M365 environments. The campaign reportedly ran on March 3, March 13, and March 23, hitting more than 300 organizations in Israel and over 25 in the UAE, with more limited targeting in Europe, the U.S., the U.K., and Saudi Arabia.
The industries cited were broad: government, municipalities, energy, healthcare, manufacturing, technology, transportation, aviation, maritime, and satellite. This was not a niche campaign. It was a wide attempt to gain cloud access across strategically important sectors.
The attacks reportedly followed a three-stage sequence:
The campaign has been attributed (with moderate confidence) to an Iran-nexus actor, citing similarities to Gray Sandstorm. Microsoft’s own profile of Gray Sandstorm notes the group’s history of password-spraying through Tor infrastructure. Peach Sandstorm (APT33) has also been referenced as a known practitioner of similar techniques.
One detail in the research deserves careful attention. Some correlation has been noted between the cities targeted in the campaign and locations hit by Iranian missile attacks in March. That does not prove direct operational coordination, but it is a strong signal that cloud identity operations may be serving broader geopolitical or military objectives.
The deeper issue is not just credential theft – it is the weaponization of trusted administrative systems. That pattern shows up clearly in a related Iranian-linked attack in March 2026, in which Microsoft Intune was compromised and used to issue remote wipe commands that disrupted operations on a global scale, subsequently confirmed in an SEC 8-K filing. Attackers did not deploy conventional malware. They used the tools that govern users, devices, email, policy, and privilege.
In practical terms, M365, Entra ID, and Intune have become part of that control layer. If they are weakly protected, overprivileged, or poorly monitored, they can amplify both cyber and operational risk. Modern disruption does not always begin with ransomware. Sometimes it begins with access to the management plane.
This threat activity is landing while CISA is operating under significant staffing strain. The February 2026 DHS shutdown furloughed roughly 60% of CISA staff, with Acting Director Nick Andersen warning Congress that risk was accumulating across the system and that the situation was not sustainable.
For enterprises, the message is straightforward. You may receive less federal support, less frequent outreach, and fewer proactive touchpoints than in the past. That puts more weight on internal governance, operational discipline, and tenant-level visibility.
Organizations do not need to solve every M365 control gap at once. The immediate priority is to close the exposures most directly aligned to the observed tradecraft: weak MFA, legacy authentication, weak Conditional Access design, excessive standing privilege, and insufficient sign-in visibility. The exact implementation path will vary by Microsoft licensing level, operating model, and existing identity architecture, but the control priorities themselves are broadly consistent across environments.
Below are six steps to start closing your M365 control gaps immediately:
1. Require phishing-resistant MFA, especially for administrators
CISA’s SCuBA guidance – which sets binding requirements for federal civilian agencies and represents the clearest public articulation of M365 hardening expectations for any organization – requires phishing-resistant MFA for users with stricter enforcement for privileged roles.
Password-spraying is still effective when passwords remain a meaningful authentication factor.
2. Eliminate legacy authentication
CISA’s SCuBA baseline explicitly calls for blocking legacy authentication methods such as POP3, IMAP, and SMTP AUTH because they do not support MFA and remain a key exposure point for credential-based attacks.
Many organizations know this already. Fewer have fully completed the work.
3. Strengthen Conditional Access against the attacker’s actual workflow
Basic geo-blocking is not enough. The attackers reportedly sprayed from Tor infrastructure, then pivoted to VPN services geolocated inside expected regions to evade policy checks. Organizations should review Conditional Access for more than country restrictions alone. Tor and anonymous proxy traffic need explicit attention. Microsoft documents that Defender for Cloud Apps can help identify risky IP categories, and Tor exit-node blocking is supported via Entra named locations and automation.
4. Expand log collection and review sign-in patterns, not just alerts
The SCuBA baseline calls for collecting and routing a broad set of M365 and Entra logs, including AuditLogs, SignInLogs, RiskyUsers, UserRiskEvents, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, and MicrosoftGraphActivityLogs.
Sign-in logs can identify password-spraying behavior—for example, repeated failed logins across many users from a single source. Teams should also be prepared to use these logs for rapid scoping if a spraying attempt succeeds: identifying affected accounts, suspicious sign-in patterns, and recent security-relevant changes.
5. Tighten privileged access and app governance
CISA’s guidance requires highly privileged accounts to be cloud-only and to avoid standing access through permanent role assignments. Instead, organizations should use Privileged Identity Management with time-limited activation. The same guidance states that only administrators should be allowed to register applications, and that high-risk users or sign-ins should be blocked through Entra ID Protection integrated with Conditional Access.
6. Close common but still dangerous gaps
Several practical controls are often left half-finished: Microsoft Entra Password Protection with custom banned passwords, disabling SMTP AUTH, configuring DMARC with enforcement, enabling Safe Links and Safe Attachments, and blocking external auto-forwarding.
None of these are glamorous. All of them still matter.
The challenge for large and mid-sized organizations is rarely awareness—most security leaders already know the control list. The harder problem is keeping those controls consistently enforced across a live M365 environment where changes are constant, admin responsibilities are distributed, exceptions accumulate, and audit confidence is often uneven. That is where CoreView becomes relevant.
CoreView helps organizations build M365 Tenant Resilience by giving security and IT leaders a more operational way to manage the parts of M365 that attackers increasingly target: configuration changes, identity settings, privileged role exposure, and delegated administration scope.
First, it helps teams assess tenant security posture against policy baselines at scale. Posture has to be measurable and repeatable – not dependent on ad hoc script checks or scattered admin reviews.
Second, it surfaces configuration drift and risky changes across M365. Hardening is not a one-time project. In an environment where policies, permissions, and settings can change quickly, knowing what changed, whether it was expected, and whether it introduced exposure is an ongoing operational requirement.
Third, CoreView supports tenant-level backup and rewind of configuration state – directly relevant to management-plane attack scenarios. If an attacker, insider, or admin mistake alters critical configuration, recovery cannot depend on reconstructing settings from memory or fragmented logs. Fast restoration of known-good tenant state is a resilience capability, not a nice-to-have.
Fourth, granular delegated administration and virtual tenant segmentation help reduce blast radius. Enforcing least privilege in a way that matches how the business actually operates is one of the hardest problems in M365. Better scoping means a single compromised admin account does less damage.
Finally, CoreView helps operationalize these controls across complex, multi-tenant, and hybrid environments – increasingly important for organizations managing acquisitions, regional variance, or layered admin models. Security controls are only as strong as their consistency.
None of that changes the underlying CISA guidance. What it changes is an organization’s ability to enforce those recommendations continuously, verify them, and recover if something slips or is deliberately changed.
The most important shift here is conceptual. M365 should no longer be treated as a peripheral IT system when threat actors are targeting the control layers that govern access, communications, and administrative action.
Iran-linked activity in 2026 is a reminder that cloud identity and management infrastructure now sit much closer to operational risk than many organizations still assume. If attackers are pursuing both infrastructure disruption and M365 access in parallel, CISOs should evaluate those exposures as part of the same resilience problem.
The controls required are not new or exotic. What has changed is the cost of deferring them. In an environment where adversaries are actively exploiting both industrial systems and cloud identity infrastructure, the gap between knowing what to do and having done it is where organizations can reduce risk. It is imperative to close that gap immediately.
