{ "id": "42c805a8-a76e-4f2c-9ad8-2d87d6b88f68", "created_at": "2026-04-06T00:06:27.177676Z", "updated_at": "2026-04-10T03:34:03.002852Z", "deleted_at": null, "sha1_hash": "c488938ea7b762e51b69155870f965bfd5dfab1d", "title": "Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 441213, "plain_text": "Peach Sandstorm password spray campaigns enable intelligence\r\ncollection at high-value targets | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-09-14 · Archived: 2026-04-05 16:18:46 UTC\r\nSince February 2023, Microsoft has observed password spray activity against thousands of organizations carried\r\nout by an actor we track as Peach Sandstorm (HOLMIUM). Peach Sandstorm is an Iranian nation-state threat\r\nactor who has recently pursued organizations in the satellite, defense, and pharmaceutical sectors around the\r\nglobe. Based upon the profile of victim organizations targeted and the observed follow-on intrusion activity,\r\nMicrosoft assesses that this initial access campaign is likely used to facilitate intelligence collection in support of\r\nIranian state interests.\r\nIn cases where Peach Sandstorm successfully authenticated to an account, Microsoft observed the group using a\r\ncombination of publicly available and custom tools for discovery, persistence, and lateral movement. In a small\r\nnumber of intrusions, Peach Sandstorm was observed exfiltrating data from the compromised environment.\r\nGiven the volume of activity, ongoing attempts to access targets of interest, and risks associated with post-compromise activity, Microsoft is reporting on this campaign to raise awareness of recent Peach Sandstorm\r\ntradecraft and empower organizations to harden their attack surfaces and defend against this activity. As with any\r\nobserved nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised\r\nby Peach Sandstorm and provides them with the information they need to secure their accounts.\r\nWho is Peach Sandstorm?\r\nPeach Sandstorm is an Iranian nation-state group known to target organizations in multiple countries. In past\r\nattacks, Peach Sandstorm has pursued targets in the aviation, construction, defense, education, energy, financial\r\nservices, healthcare, government, satellite, and telecommunications sectors. Activity that Microsoft attributes to\r\nPeach Sandstorm overlaps with public reporting on groups known as APT33, Elfin, and Refined Kitten.\r\nThroughout 2023, Peach Sandstorm has consistently demonstrated interest in organizations in the satellite,\r\ndefense, and to a lesser extent, pharmaceutical sectors.  In the initial phase of this campaign, Peach Sandstorm\r\nconducted password spray campaigns against thousands of organizations across several sectors and geographies.\r\nWhile Microsoft observed several organizations previously targeted by Peach Sandstorm, the volume of activity\r\nand range of organizations suggests that at least a subset of the initial activity is opportunistic.\r\nIn past operations, Peach Sandstorm relied heavily, but not exclusively, on password spray attacks as a means of\r\ngaining access to targets of interest. In some cases, Peach Sandstorm has used this tradecraft to compromise an\r\nintermediate target and enable access to downstream environments. As one example, Peach Sandstorm carried out\r\na wave of attacks in 2019 that coincided with a rise in tensions between the United States and the Islamic\r\nRepublic of Iran.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/\r\nPage 1 of 9\n\nUnlike password spray operations which are noisy by definition, a subset of Peach Sandstorm’s 2023 post-compromise activity has been stealthy and sophisticated. Many of the cloud-based tactics, techniques, and\r\nprocedures (TTPs) seen in these most recent campaigns are materially more sophisticated than capabilities used by\r\nPeach Sandstorm in the past.\r\nIntrusion chain\r\nMicrosoft observed Peach Sandstorm using two distinct sets of TTPs in the early stages of the intrusion lifecycle\r\nin 2023 attacks. In later stages of known compromises, the threat actor used different combinations from a set of\r\nknown TTPs to drop additional tools, move laterally, and ultimately exfiltrate data from a target.\r\nFigure 1. Peach Sandstorm 2023 tradecraft\r\nPath 1: Password spray activity, internal reconnaissance with AzureHound or Roadtools, and\r\nmultiple persistence mechanisms\r\nPassword spray activity\r\nBetween February and July 2023, Peach Sandstorm carried out a wave of password spray attacks attempting to\r\nauthenticate to thousands of environments. Password spraying is a technique where threat actors attempt to\r\nauthenticate to many different accounts using a single password or a list of commonly-used passwords. Unlike\r\nbrute force attacks that target a single account using many passwords, password spray attacks help adversaries\r\nmaximize their chances for success and minimize the likelihood of automatic account lockouts.\r\nEven a single compromised account could allow an adversary to conduct reconnaissance, move laterally, or access\r\nsensitive resources, often without attracting attention from defenders.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/\r\nPage 2 of 9\n\nFigure 2. Identity attack lifecycle\r\nLong-running password spray campaigns offer insight into adversaries’ pattern of life. Activity observed in this\r\ncampaign aligned with an Iranian pattern of life, particularly in late May and June, where activity occurred almost\r\nexclusively between 9:00 AM and 5:00 PM Iran Standard Time (IRST). While Peach Sandstorm has carried out\r\nhigh-volume password spray campaigns in the past, elements of the most recent campaign were unique.\r\nSpecifically, Peach Sandstorm consistently conducted the password sprays from TOR IPs and used a “go-http-client” user agent.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/\r\nPage 3 of 9\n\nFigure 3. Peach Sandstorm authentication attempts by hour (April-July 2023)\r\nFigure 4. Peach Sandstorm authentication attempts by day of the week (April-July 2023)\r\nInternal reconnaissance with AzureHound or Roadtools\r\nIn a small subset of instances where Peach Sandstorm successfully authenticated to an account in a targeted\r\nenvironment, Microsoft observed the threat actor using AzureHound or Roadtools to conduct reconnaissance in\r\nMicrosoft Entra ID (formerly Azure Active Directory). In this campaign, Peach Sandstorm used AzureHound, a\r\nGo binary that collects data from Microsoft Entra ID and Azure Resource Manager through the Microsoft Graph\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/\r\nPage 4 of 9\n\nand Azure REST APIs, as a means of gathering information on a system of interest. Similarly, Roadtools, a\r\nframework to access Microsoft Entra ID, allowed Peach Sandstorm to access data in a target’s cloud environment\r\nand conveniently dump data of interest to a single database.\r\nAzureHound and Roadtools have functionality that is used by defenders, red teams, and adversaries. The same\r\nfeatures that make these tools useful to legitimate users, like pre-built capabilities to explore and seamlessly dump\r\ndata in a single database, also make these tools attractive options for adversaries seeking information about or\r\nfrom a target’s environment.\r\nMultiple persistence mechanisms\r\nIn cases where Microsoft observed this particular intrusion chain, the threat actor used one or more persistence\r\nmechanisms. In some cases, Peach Sandstorm created a new Azure subscription on a target’s tenant and/or\r\nleveraged previously compromised Azure resources. These subscriptions were subsequently used to facilitate\r\ncommunication with Peach Sandstorm’s infrastructure.\r\nPeach Sandstorm also abused Azure Arc, a capability that allows users to secure, develop, and operate\r\ninfrastructure, applications, and Azure services anywhere, to persist in compromised environments. In this\r\ncampaign, Peach Sandstorm installed the Azure Arc client on a device in the compromised environment and\r\nconnected it to an Azure subscription controlled by Peach Sandstorm. This effectively allowed Peach Sandstorm\r\nto control devices in a target’s on-premises environment from Peach Sandstorm’s cloud.\r\nPath 2: Remote exploitation of vulnerable internet-facing applications\r\nInitial access using remote exploitation\r\nIn this wave of activity, Peach Sandstorm also attempted to exploit vulnerabilities with a public proof-of-concept\r\n(POC) in Zoho ManageEngine or Confluence, to access targets’ environments.\r\nCVE-2022-47966 is a remote code execution vulnerability affecting a subset of on-premises Zoho\r\nManageEngine products. Microsoft recommends organizations using vulnerable applications patch this\r\nvulnerability as multiple groups have been observed exploiting this vulnerability.\r\nCVE-2022-26134 is a remote code execution vulnerability in Confluence Server and Data Center.\r\nRecommendations that help organizations protect against exploitation of multiple vulnerabilities, including\r\nCVE-2022-26134, can be found in the recommendations section of this report.\r\nPost-compromise activity\r\nThe following post-compromise activity affected organizations in the defense, satellite, and pharmaceutical\r\nsectors:\r\nIn a subset of intrusions in this campaign, Peach Sandstorm deployed AnyDesk, a commercial\r\nremote monitoring and management tool (RMM) to maintain access to a target. AnyDesk has a range\r\nof capabilities that allow users to remotely access a network, persist in a compromised environment, and\r\nenable command and control (C2). The convenience and utility of a tool like AnyDesk is amplified by the\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/\r\nPage 5 of 9\n\nfact that it might be permitted by application controls in environments where it is used legitimately by IT\r\nsupport personnel or system administrators.\r\nIn a March 2023 intrusion, Peach Sandstorm conducted a Golden SAML attack to access a target’s\r\ncloud resources. In a Golden SAML attack, an adversary steals private keys from a target’s on-premises\r\nActive Directory Federated Services (AD FS) server and use the stolen keys to mint a SAML token trusted\r\nby a target’s Microsoft 365 environment. If successful, a threat actor could bypass AD FS authentication\r\nand access federated services as any user.\r\nIn at least one intrusion, Microsoft observed Peach Sandstorm using a legitimate VMWare\r\nexecutable to carry out a search order hijack. DLL search order hijacking allows adversaries to\r\nintroduce malicious code into an environment in a way that blends in with normal activity.\r\nIn a handful of environments, Microsoft observed Peach Sandstorm using EagleRelay to tunnel\r\ntraffic back to their infrastructure. In these instances, Peach Sandstorm created a new virtual machine in\r\na compromised Azure subscription. These virtual machines were used to run EagleRelay, a custom tool, to\r\ntunnel traffic between actor-controlled systems and targets’ systems. In at least one case, Microsoft also\r\nsaw Peach Sandstorm attempting to move laterally in a compromised environment using remote desktop\r\nprotocol (RDP).\r\nAdditional context\r\nThe capabilities observed in this campaign are concerning as Microsoft saw Peach Sandstorm use legitimate\r\ncredentials (gleaned from password spray attacks) to authenticate to targets’ systems, persist in targets’\r\nenvironments, and deploy a range of tools to carry out additional activity. Peach Sandstorm also created new\r\nAzure subscriptions and leveraged the access these subscriptions provided to conduct additional attacks in other\r\norganizations’ environments. While the specific effects in this campaign vary based on the threat actor’s decisions,\r\neven initial access could adversely impact the confidentiality of a given environment. Microsoft continues to work\r\nacross its platforms to identify abuse, take down malicious activity, and implement new proactive protections to\r\ndiscourage malicious actors from using our services. We encourage customers and the industry to report abuse.\r\nAs Peach Sandstorm increasingly develops and uses new capabilities, organizations must develop corresponding\r\ndefenses to harden their attack surfaces and raise costs for these attacks. Microsoft will continue to monitor Peach\r\nSandstorm activity and implement robust protections for our customers.\r\nMitigations\r\nTo harden an attack surface against Peach Sandstorm activity, defenders can implement the following:\r\nReset account passwords for any accounts targeted during a password spray attack. If a targeted account\r\nhad system-level permissions, further investigation may be warranted.\r\nRevoke session cookies in addition to resetting passwords\r\nRevoke any multifactor authentication (MFA) setting changes made by the attacker on any\r\ncompromised users’ accounts\r\nRequire re-challenging MFA for MFA updates as the default\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/\r\nPage 6 of 9\n\nImplement the Azure Security Benchmark and general best practices for securing identity infrastructure,\r\nincluding:\r\nCreate conditional access policies to allow or disallow access to the environment based on defined\r\ncriteria.\r\nBlock legacy authentication with Microsoft Entra ID by using Conditional Access. Legacy\r\nauthentication protocols don’t have the ability to enforce MFA, so blocking such authentication\r\nmethods will prevent password spray attackers from taking advantage of the lack of MFA on those\r\nprotocols.\r\nEnable AD FS web application proxy extranet lockout to protect users from potential password\r\nbrute force compromise.\r\nSecure accounts with credential hygiene:\r\nPractice the principle of least privilege and audit privileged account activity in your Microsoft Entra\r\nID environments to slow and stop attackers.\r\nDeploy Microsoft Entra ID Connect Health for Active Directory Federation Services (AD FS). This\r\ncaptures failed attempts as well as IP addresses recorded in AD FS logs for bad requests in the Risky\r\nIP report.\r\nUse Microsoft Entra ID password protection to detect and block known weak passwords and their\r\nvariants.\r\nTurn on identity protection in Microsoft Entra ID to monitor for identity-based risks and create\r\npolicies for risky sign ins.\r\nUse MFA to mitigate successful password spray attacks. Keep MFA always-on for privileged accounts and\r\napply risk-based MFA for normal accounts.\r\nConsider transitioning to a passwordless primary authentication method, such as Azure MFA, certificates,\r\nor Windows Hello for Business.\r\nSecure RDP or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute\r\nforce attacks.\r\nSecuring critical assets like AD FS servers is a high-value measure to protect against golden SAML attacks. The\r\nguidance provided below is applicable beyond just Peach Sandstorm activity and can help organizations harden\r\ntheir attack surfaces against a range of threats.\r\nIt’s critical to treat your AD FS servers as a Tier 0 asset, protecting them with the same protections you\r\nwould apply to a domain controller or other critical security infrastructure. AD FS servers provide\r\nauthentication to configured relying parties, so an attacker who gains administrative access to an AD FS\r\nserver can achieve total control of authentication to configured relying parties (include Microsoft Entra ID\r\ntenants configured to use the AD FS server).\r\nPracticing credential hygiene, notably the recommendations provided above, is critical for protecting and\r\npreventing the exposure of highly privileged administrator accounts. This especially applies on more easily\r\ncompromised systems like workstations with controls like logon restrictions and preventing lateral\r\nmovement to these systems with controls like the Windows Firewall.\r\nMigration to Microsoft Entra ID (formerly Azure Active Directory) authentication is recommended to\r\nreduce the risk of on-premises compromises moving laterally to your authentication servers. Customers can\r\nuse the following references on migration:\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/\r\nPage 7 of 9\n\nUse the activity report to move AD FS apps to Microsoft Entra ID\r\nMove application authentication to Microsoft Entra ID\r\nIndicators of compromise\r\nIndicator Type Description\r\n192.52.166[.]76 IP address Peach Sandstorm adversary IP\r\n108.62.118[.]240 IP address Peach Sandstorm adversary IP\r\n102.129.215[.]40  IP address Peach Sandstorm adversary IP\r\n76.8.60[.]64 IP address Peach Sandstorm adversary IP\r\nDetection details\r\nMicrosoft Defender for Endpoint\r\nAlerts with the following titles in the security center can indicate Peach Sandstorm activity on your network:\r\nPeach Sandstorm actor activity detected\r\nMicrosoft Defender for Identity\r\nThe following alerts might indicate activity associated with password spray campaigns.\r\nPassword Spray\r\nAtypical travel\r\nUnfamiliar Sign-in properties\r\nMicrosoft Defender for Cloud Apps\r\nThe following alerts might indicate activity associated with password spray campaigns.\r\nActivity from a Tor IP address\r\nSuspicious Administrative Activity\r\nImpossible travel activity\r\nMultiple failed login attempts\r\nActivity from a password-spray associated IP address\r\nOrganizations with Defender for Cloud Apps can turn on app governance, a set of security and policy management\r\ncapabilities designed for OAuth-enabled apps registered on Azure Active Directory, Google, and Salesforce. The\r\nfollowing detections in App governance might indicate activity associated with password spray campaigns.\r\nNumerous Azure AD enumeration calls using PowerShell\r\nSuspicious enumeration activities performed using AAD PowerShell\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/\r\nPage 8 of 9\n\nHunting queries\r\nMicrosoft Sentinel\r\nMicrosoft customers can use a range of Microsoft Sentinel content to help detect Peach Sandstorm activity\r\ndescribed in this blog. The Azure Active Directory solution contains several analytics rules and hunting queries for\r\nMicrosoft Entra ID data that can help uncover initial access activity including password sprays. Specific analytics\r\nrules of value include:\r\nPassword spray attack against Microsoft Entra ID application\r\nPotential Password Spray Attack (Uses Authentication Normalization)\r\nOkta – Potential Password Spray Attack\r\nReferences\r\nhttps://www.cyberwarcon.com/apt33\r\nhttps://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html\r\nhttps://github.com/dirkjanm/ROADtools\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-47966\r\nhttps://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134\r\nhttps://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html\r\nFurther reading\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on Twitter at\r\nhttps://twitter.com/MsftSecIntel.\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collectio\r\nn-at-high-value-targets/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" ], "report_names": [ "peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433987, "ts_updated_at": 1775792043, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c488938ea7b762e51b69155870f965bfd5dfab1d.pdf", "text": "https://archive.orkl.eu/c488938ea7b762e51b69155870f965bfd5dfab1d.txt", "img": "https://archive.orkl.eu/c488938ea7b762e51b69155870f965bfd5dfab1d.jpg" } }