Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Exposes Iran-Linked APT Targeting U.S., Israeli Defense Tech Sectors

Threat hunters at Microsoft are raising the alarm about a new Iran-linked threat actor caught using password-spraying techniques to break into defense technology companies in the United States, Israel and parts of the Middle East.

Threat hunters at Microsoft are raising the alarm about a new Iran-linked threat actor caught using password-spraying techniques to break into defense technology companies in the United States, Israel and parts of the Middle East.

The Redmond, Wash. software giant on Monday shared technical details on UNC-0343, an Iran-linked apex actor that has been actively attempting to break into Office 365 accounts since at least July 2021.

“[We have] observed DEV-0343 conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on U.S. and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East,” Redmond said in a report.

Microsoft confirmed that “less than 20” of the targeted Office 365 tenants were successfully compromised in this campaign. No other details were provided on identity or geographic location of the compromised organizations.

[READ: Researchers Link Mysterious ‘MeteorExpress’ Wiper to Iranian Train Cyber Attack]

The U.S. government considers nation-state actors from Iran alongside China, Russia and North Korea in the “Big Four” of adversaries and the latest Redmond warning confirms private sector warnings about an increase in APT activity with ties to the Islamic Republic.

Microsoft said DEV-0343 has been observed targeting defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. 

“Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East,” Microsoft noted.

[READ: NSA’s Rob Joyce Explains ‘Sand and Friction’ Security Strategy]

Microsoft’s explanation of the password-spraying technique being used:

DEV-0343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy network. They are most active between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC) with significant drop-offs in activity before 7:30 AM and after 8:30 PM Iran Time. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization.

DEV-0343 operators typically target two Exchange endpoints – Autodiscover and ActiveSync – as  a feature of the enumeration/password spray tool they use. This allows DEV-0343 to validate active accounts and passwords, and further refine their password spray activity.

Microsoft recommends that Office 365 administrators immediately enable and deploy MFA (multifactor authentication) technology and block all incoming traffic from anonymizing service where possible.

Related: Researchers Link Mysterious ‘MeteorExpress’ Wiper to Iranian Train Cyber Attack

Related: NSA’s Rob Joyce Explains ‘Sand and Friction’ Security Strategy 

Related: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation

Related: Microsoft Office Zero-Day Hit in Targeted Attacks

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The U.S. government is set to green-light a more aggressive ‘hack-back’ approach to dealing with foreign adversaries and mandatory regulation of critical infrastructure vendors.


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


The United States blacklisted six Chinese entities it said were linked to Beijing's aerospace programs as part of its retaliation over an alleged Chinese...


A China-linked hackers are exploiting a vulnerability (CVE-2022-42475 ) in Fortinet FortiOS SSL-VPN, Mandiant claims.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.