MSTIC(Microsoft Threat Intelligence Center) has identified that threat actors(DEV-0343) are conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.  Microsoft gives name like DEV-xxx to an unknown threat actor to track it as a unique set of information until they can reach high confidence about the origin or identity of the actor behind the operation

DEV-0343 has been observed targeting two Exchange endpoints – Autodiscover and ActiveSync – as a feature of the enumeration/password spray tool they use. This allows the threat actor to validate active accounts and passwords.

Malware Wallpapers - Top Free Malware Backgrounds - WallpaperAccess

DEV-0343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy network. They are most active between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC) with significant drop-offs in activity before 7:30 AM and after 8:30 PM Iran Time. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization” reads the blogpost.

Interestingly Microsoft has observed that the threat actor infrastructure seems to be behind the TOR network due to which there are no static IOC’s identified to incorporate into Security controls.

Microsoft has released the list of patterns to monitor in network and logs for investigating about the behaviours and tactics used by DEV-0343:

  • Extensive inbound traffic from Tor IP addresses for password spray campaigns
  • Emulation of FireFox (most common) or Chrome browsers in password spray campaigns
  • Enumeration of Exchange ActiveSync (most common) or Autodiscover endpoints
  • Use of enumeration/password spray tool similar to the ‘o365spray’ tool hosted at
  • Use of Autodiscover to validate accounts and passwords

Microsoft also releases the list of recommendation to follow mitigate the threat activity:

The following guidance can mitigate the techniques described in the threat activity:

Finally the report concludes  ,Obtaining access to commercial satellite images as well as private shipping plans and logs might assist Iran in compensating for its growing satellite programme . Given Iran’s past cyber and military attacks against shipping and marine targets, Microsoft believes this action raises the danger for organisation.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s