A new threat group “Dev-0343” has been attributed to Iranian intelligence by the Microsoft Threat Intelligence Center (MSTIC). The group has been conducting password spraying attacks against US, Europe, and Israeli defense companies. They are especially active 7:30am to 8:30pm Iranian time, or equivalently, 04:00:00 to 17:00:00 UTC. The group is targeting the Exchange Autodiscover and ActiveSync technologies for password and account validation. There are unfortunately not many indicators of attack (IOA) in evidence of this activity because the group employs Tor to disguise traffic. However, extensive inbound Tor traffic to a network does constitute a significant IOA. MSTIC researchers have indicated evidence has enabled them to infer DEV-0343 use a tool similar to o365spray. More details about this tool can be found here: https://github.com/0xZDH/o365spray.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in