Microsoft Threat Intelligence with a good post on an Iranian nation-state actor executing password sprays across industries.

Some good TTPs and other details here. If you've had a password spray attack lately, worth running the 4 IPs they provide through your auth logs.

https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/ 

 these threat actor group names need to go, though. "Peach Sandstorm" sounds like something cold and refreshing that I should be enjoying on a beach somewhere.