{ "id": "fc189f30-636e-441d-9b2b-050de2a12bcb", "created_at": "2026-04-06T00:11:04.848375Z", "updated_at": "2026-04-10T03:26:22.059737Z", "deleted_at": null, "sha1_hash": "697647b360281512e1332cf5fef7d8c9a3b08c99", "title": "Iran-linked DEV-0343 targeting defense, GIS, and maritime sectors | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72323, "plain_text": "Iran-linked DEV-0343 targeting defense, GIS, and maritime\r\nsectors | Microsoft Security Blog\r\nBy Microsoft Digital Security Unit (DSU), Microsoft Threat Intelligence\r\nPublished: 2021-10-11 · Archived: 2026-04-05 13:33:54 UTC\r\nDEV-0343 is a new activity cluster that the Microsoft Threat Intelligence Center (MSTIC) first observed and\r\nbegan tracking in late July 2021. MSTIC has observed DEV-0343 conducting extensive password spraying against\r\nmore than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf\r\nports of entry, or global maritime transportation companies with business presence in the Middle East. Less than\r\n20 of the targeted tenants were successfully compromised, but DEV-0343 continues to evolve their techniques to\r\nrefine its attacks. MSTIC noted that Office 365 accounts with multifactor authentication (MFA) enabled are\r\nresilient against password sprays.\r\nMicrosoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing\r\ncluster of threat activity, allowing MSTIC to track it as a unique set of information until they can reach high\r\nconfidence about the origin or identity of the actor behind the operation. Once it meets the criteria, a DEV is\r\nconverted to a named actor. As with any observed nation state actor activity, Microsoft has directly notified\r\ncustomers that have been targeted or compromised, providing them with the information they need to secure their\r\naccounts.\r\nTargeting in this DEV-0343 activity has been observed across defense companies that support United States,\r\nEuropean Union, and Israeli government partners producing military-grade radars, drone technology, satellite\r\nsystems, and emergency response communication systems. Further activity has targeted customers in geographic\r\ninformation systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and\r\ncargo transportation companies with a business focus in the Middle East.\r\nThis activity likely supports the national interests of the Islamic Republic of Iran based on pattern-of-life analysis,\r\nextensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and\r\ntargets with another actor originating in Iran. Microsoft assesses this targeting supports Iranian government\r\ntracking of adversary security services and maritime shipping in the Middle East to enhance their contingency\r\nplans. Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran\r\ncompensate for its developing satellite program. Given Iran’s past cyber and military attacks against shipping and\r\nmaritime targets, Microsoft believes this activity increases the risk to companies in these sectors, and we\r\nencourage our customers in these industries and geographic regions to review the information shared in this blog\r\nto defend themselves from this threat.\r\nDEV-0343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy\r\nnetwork. They are most active between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00\r\nand 17:00:00 UTC) with significant drop-offs in activity before 7:30 AM and after 8:30 PM Iran Time. They\r\ntypically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each\r\nhttps://www.microsoft.com/en-us/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/\r\nPage 1 of 5\n\naccount from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses\r\nare used in attacks against each organization.\r\nDEV-0343 operators typically target two Exchange endpoints – Autodiscover and ActiveSync – as  a feature of the\r\nenumeration/password spray tool they use. This allows DEV-0343 to validate active accounts and passwords, and\r\nfurther refine their password spray activity.\r\nDEV-0343 uses an elaborate series of Tor IP addresses to obfuscate their operational infrastructure. Because of\r\nthis, there are no static set of indicators of compromise (IOCs) for us to share tied to this activity. The list below\r\nprovides a series of behaviors and tactics we have observed being used by the attackers. We encourage our\r\ncustomers to use this information to look for similar patterns in logs and network activity to identify areas for\r\nfurther investigation.\r\nThe following guidance can mitigate the techniques described in the threat activity:\r\nTo locate related activity, run the following advanced hunting queries in Microsoft 365 Defender:\r\nAzure Sentinel customers can use the following detection queries to look for this activity:\r\nThe query below identifies evidence of password sprays activity where ClientAppUsed is either Exchange\r\nActiveSync or Autodiscover and emulated browser is Chrome or Firefox. The query is leveraging Azure AD data\r\nto look for failures from multiple accounts from the same IP address within a time window. Details on whether\r\nthere were successful authentications by the IP address within the time window are also included.  This can be an\r\nindicator that an attack was successful. The default failure account threshold is 5 and the default time window for\r\nfailures is 20m.\r\nlet timeRange = 3d;\r\nlet lookBack = 7d;\r\nlet authenticationWindow = 20m;\r\nlet authenticationThreshold = 5;\r\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\r\nlet failureCodes = dynamic([50053, 50126]); // invalid password, account is locked - too many sign\r\nins, expired password\r\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158,\r\n50072, 50074, 53003, 53000, 53001, 50129]);\r\nlet ClientApps = dynamic([\"AutoDiscover\",\"Exchange ActiveSync\"]);\r\nlet BrowserList = dynamic([\"Chrome\",\"Firefox \"]);\r\n// Lookup up resolved identities from last 7 days\r\nlet aadFunc = (tableName:string){\r\nhttps://www.microsoft.com/en-us/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/\r\nPage 2 of 5\n\nlet identityLookup = table(tableName)\r\n| where TimeGenerated \u003e= ago(lookBack)\r\n| where not(Identity matches regex isGUID)\r\n| where isnotempty(UserId)\r\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName =\r\nUserPrincipalName, Type;\r\n// collect window threshold breaches\r\ntable(tableName)\r\n| where TimeGenerated \u003e ago(timeRange)\r\n| where ResultType in(failureCodes)\r\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed),\r\ncount() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName,\r\nType\r\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated,\r\nauthenticationWindow), IPAddress, AppDisplayName, Type\r\n| where FailedPrincipalCount \u003e= authenticationThreshold\r\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\r\n| join kind= inner (\r\n// where we breached a threshold, join the details back on all failure data\r\ntable(tableName)\r\n| where TimeGenerated \u003e ago(timeRange)\r\n| where ResultType in(failureCodes)\r\n| extend LocationDetails = todynamic(LocationDetails)\r\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,'|', LocationDetails.state, '|',\r\nLocationDetails.city)\r\n| extend DeviceDetail = todynamic(DeviceDetail)\r\n| extend Browser = DeviceDetail.browser\r\nhttps://www.microsoft.com/en-us/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/\r\nPage 3 of 5\n\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed),\r\nmake_set(FullLocation), make_set(Browser), FailureCount = count() by IPAddress, AppDisplayName,\r\nUserPrincipalName, UserDisplayName, Identity, UserId, Type\r\n// lookup any unresolved identities\r\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \"\")\r\n| join kind= leftouter (\r\nidentityLookup\r\n) on $left.UnresolvedUserId==$right.UserId\r\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\r\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName,\r\nlu_UserPrincipalName)\r\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName),\r\nmake_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_Browser),\r\nmake_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\r\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\r\n) on IPAddress\r\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount,\r\nUserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName,\r\nClientAppUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation,\r\nFailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type, Browsers = set_set_Browser\r\n| join kind= inner (\r\ntable(tableName) // get data on success vs. failure history for each IP\r\n| where TimeGenerated \u003e ago(timeRange)\r\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\r\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))),\r\nResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount\r\n= dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures =\r\nmake_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\r\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed\r\nprincipals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as\r\na side effect have alot of failures\r\nhttps://www.microsoft.com/en-us/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/\r\nPage 4 of 5\n\n) on IPAddress\r\n| project-away IPAddress1\r\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\r\n};\r\nlet aadSignin = aadFunc(\"SigninLogs\");\r\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\r\nunion isfuzzy=true aadSignin, aadNonInt\r\n| where Browsers has_any (BrowserList)\r\n| where ClientAppUsed has_any (ClientApps)\r\nOne of the results that the query surfaces is the IPAddress field from where the sign-in originated. Customers can\r\nleverage their threat intel data that have details about the TOR exit nodes to join with this query and make it even\r\nhigher fidelity. It is often worthwhile to have a list of all the known TOR exit nodes so that these could be used for\r\nmatching with queries of Azure Sentinel, or to block sign-ins from the TOR exit nodes using conditional access.\r\nAzure Sentinel also provides playbooks that can leverage third party providers of TOR information like Big Data\r\nCloud to synchronize the list of known TOR exit nodes on an hourly basis.  Here is the link to one such playbook:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Update-NamedLocations-TOR/readme.md.\r\nNext, we have another hunting query that identifies instances where a single user account has seen a high\r\nincidence of failed attempts from highly volatile IP addresses. Changing the IP address for every password attempt\r\nis becoming a more common technique among sophisticated threat groups. Often, threat groups randomize the\r\nuser agent they are using as well as IP address. This technique has been enabled by the emergence of services\r\nproviding huge numbers of residential IP addresses. These services are often enabled through malicious browser\r\nplugins. This query is best executed over longer timeframes. Results with the highest “IPs”, “Failures” and\r\n“DaysWithAttempts” are good candidates for further investigation. This query intentionally does not cluster on\r\nUserAgent, IP, etc. This query is clustering on the highly volatile IP behavior.\r\nSource: https://www.microsoft.com/en-us/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/\r\nhttps://www.microsoft.com/en-us/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/" ], "report_names": [ "iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors" ], "threat_actors": [ { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "c4cd33a4-3ec0-4a21-b20f-99d3b7cc6525", "created_at": "2024-01-09T02:00:04.205662Z", "updated_at": "2026-04-10T02:00:03.511121Z", "deleted_at": null, "main_name": "Gray Sandstorm", "aliases": [ "DEV-0343" ], "source_name": "MISPGALAXY:Gray Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434264, "ts_updated_at": 1775791582, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/697647b360281512e1332cf5fef7d8c9a3b08c99.pdf", "text": "https://archive.orkl.eu/697647b360281512e1332cf5fef7d8c9a3b08c99.txt", "img": "https://archive.orkl.eu/697647b360281512e1332cf5fef7d8c9a3b08c99.jpg" } }