Gray Sandstorm

Gray Sandstorm is a Microsoft-designated Iran-attributed nation-state threat actor. The provided content links Gray Sandstorm to Iranian activity and notes that Microsoft uses the Sandstorm family name for Iran-attributed nation-state actors. According to the content, Gray Sandstorm is known to use password spraying to gain initial access to Microsoft 365 environments and steal sensitive information. Check Point reported a March 2026 campaign targeting Microsoft 365 environments, primarily affecting more than 300 organizations in Israel and over 25 in the U.A.E., with limited additional targeting in Europe, the United States, the United Kingdom, Saudi Arabia, and elsewhere. Targeted sectors included government entities, municipalities, technology, transportation and logistics, energy, healthcare, manufacturing, and private-sector organizations. The campaign occurred in three waves on March 3, March 13, and March 23, 2026, and involved aggressive scanning or password spraying from frequently changing Tor exit nodes, use of an Internet Explorer 10 user-agent string during spraying, subsequent login activity using VPN infrastructure including nodes geolocated in Israel, and exfiltration of sensitive data such as mailbox content and personal email communications. The content states that analysis of Microsoft 365 logs suggested similarities to Gray Sandstorm, including the use of red-team tools via Tor exit nodes. The actor activity was also associated in the reporting with commercial VPN infrastructure hosted at AS35758 linked to recent Iran-nexus operations in the Middle East. No additional aliases or sub-groups for Gray Sandstorm are directly provided in the content beyond the name gray_sandstorm.