Why has there been a sudden surge in phishing attacks in the Gulf region?

In M-Trends 2026, the global median dwell time for cyber attacks rose from 11 days to 14 days. This shift underscores a growing sophistication among threat actors, particularly their ability to evade modern security controls. However, this metric varies dramatically based on the attacker's motivation. Cybercriminals are exploiting the fear and uncertainty surrounding the conflict in Iran and the wider Middle East. Following the US-Israeli strikes on February 28th, researchers observed a 130% spike in malicious emails. Attackers are using the regional instability and shipping disruptions as "social engineering" lures to trick people into acting quickly without thinking.

What kind of email lures are attackers currently using?

While the attacks are linked to the geopolitical situation, the emails often look like standard business communications. Common lures include fake invoices, contracts, banking documents, and delivery notifications. These are designed to exploit business disruptions and pressure employees into opening attachments or clicking links to "resolve" urgent issues. Highly interactive voice phishing surged to 11%, becoming the second-most observed vector. Attackers are effectively bypassing automated security controls and multi-factor authentication (MFA) protocols by targeting IT help desks directly. For example, threat groups pose as legitimate employees to reset credentials. This evolution demonstrates that attackers are finding equal success exploiting fundamental human vulnerabilities as they are zero-day exploits.

What are the best practices for defending against social engineering tactics?

To defend against sophisticated social engineering campaigns, you should treat all unexpected business emails—especially those containing .zip, .rar, or .hta attachments—with high suspicion. Always hover over links to inspect the true destination before clicking, and never let "urgent" language pressure you into bypassing security protocols. Most importantly, verify any financial or legal request through a secondary, trusted channel, such as a known phone number or official company portal, rather than replying to the email.

Alert: Payroll-Hijacking Attacks Are Targeting Canadian Employees

Microsoft warns that a new criminal threat actor dubbed “Storm-2755” is launching payroll-pirate attacks against Canadian users. These attacks use social engineering to compromise employee accounts and divert salary payments to attacker-controlled bank accounts.

“In the observed campaign, Storm-2755 likely gained initial access through SEO poisoning or malvertising that positioned the actor-controlled domain, bluegraintours[.]com, at the top of search results for generic queries like ‘Office 365’ or common misspellings like ‘Office 265,’” Microsoft says. “Based on data received by DART, unsuspecting users who clicked these links were directed to a malicious Microsoft 365 sign-in page designed to mimic the legitimate experience, resulting in token and credential theft when users entered their credentials.” Notably, the attackers are using adversary-in-the-middle (AiTM) techniques to bypass less-secure methods of multifactor authentication.

“This activity aligns with an AiTM attack—an evolution of traditional credential phishing techniques—in which threat actors insert malicious infrastructure between the victim and a legitimate authentication service. Rather than harvesting only usernames and passwords, AiTM frameworks proxy the entire authentication flow in real time, enabling the capture session cookies and OAuth access tokens issued upon successful authentication. Due to these tokens representing a fully authenticated session, threat actors can reuse them to gain access to Microsoft services without being prompted for credentials or MFA, effectively bypassing legacy MFA protections not designed to be phishing-resistant; phishing-resistant methods such as FIDO2/WebAuthN are designed to mitigate this risk.”

Once an employee account has been breached, the attackers trick HR workers into changing the employee’s payment information.

“Email subject lines were also consistent across all compromised users, ‘Question about direct deposit,’ with the goal of socially engineering HR or finance staff members into performing manual changes to payroll instructions on behalf of Storm-2755, removing the need for further hands-on-keyboard activity,” Microsoft says.

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Microsoft has the story.

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

Security Awareness Training Blog

Alert: Payroll-Hijacking Attacks Are Targeting Canadian Employees

Secure Your Human and AI Workforce

Secure the Digital Workforce: Human + AI

ABOUT KNOWBE4 TEAM

Subscribe to Our Blog

Posts By Topic

Get the latest insights, trends and security news. Subscribe to CyberheistNews.

Get the latest insights, trends and security news. Subscribe to CyberheistNews.