Microsoft Threat Intelligence with a good post on an Iranian nation-state actor executing password sprays across industries. Some good TTPs and other details here. If you've had a password spray attack lately, worth running the 4 IPs they provide through your auth logs. https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/