Why has there been a sudden surge in phishing attacks in the Gulf region?

Cybercriminals are exploiting the fear and uncertainty surrounding the conflict in Iran and the wider Middle East. Following the US-Israeli strikes on February 28th, researchers observed a 130% spike in malicious emails. Attackers are using the regional instability and shipping disruptions as "social engineering" lures to trick people into acting quickly without thinking.

What kind of email lures are attackers currently using?

While the attacks are linked to the geopolitical situation, the emails often look like standard business communications. Common lures include fake invoices, contracts, banking documents, and delivery notifications. These are designed to exploit business disruptions and pressure employees into opening attachments or clicking links to "resolve" urgent issues.

What are the best practices for defending against social engineering tactics?

To defend against sophisticated social engineering campaigns, you should treat all unexpected business emails—especially those containing .zip, .rar, or .hta attachments—with high suspicion. Always hover over links to inspect the true destination before clicking, and never let "urgent" language pressure you into bypassing security protocols. Most importantly, verify any financial or legal request through a secondary, trusted channel, such as a known phone number or official company portal, rather than replying to the email.

Phishing Campaigns Abuse AI Workflow Automation Platforms

Threat actors are abusing agentic AI automation platforms to deliver malware and send phishing emails, according to researchers at Cisco Talos. The researchers observed attackers using n8n, a legitimate platform that automates workflows in web apps and services like Slack, GitHub, Google Sheets, and others.

“Talos' investigation found that a primary point of abuse in n8n’s AI workflow automation platform is its URL-exposed webhooks,” the researchers explain. “A webhook, often referred to as a ‘reverse API,’ allows one application to provide real-time information to another. These URLs register an application as a ‘listener’ to receive data, which can include programmatically pulled HTML content....When the URL receives a request, the subsequent workflow steps are triggered, returning results as an HTTP data stream to the requesting application. If the URL is accessed via email, the recipient’s browser acts as the receiving application, processing the output as a webpage.”

These URLs allow attackers to send phishing links that appear legitimate, and can be tailored to specific users.

“Talos has observed a significant rise in emails containing n8n webhook URLs over the past year,” the researchers write. “For example, the volume of these emails in March 2026 was approximately 686% higher than in January 2025. This increase is driven, in part, by several instances of platform abuse, including malware delivery and device fingerprinting....Because webhooks mask the source of the data they deliver, they can be used to serve payloads from untrusted sources while making them appear to originate from a trusted domain. Furthermore, since webhooks can dynamically serve different data streams based on triggering events — such as request header information — a phishing operator can tailor payloads based on the user-agent header.”

KnowBe4 enables your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Cisco Talos has the story: The n8n n8mare: How threat actors are misusing AI workflow automation

Security Awareness Training Blog

Phishing Campaigns Abuse AI Workflow Automation Platforms

See KnowBe4 Cloud Email Security in Action

ABOUT KNOWBE4 TEAM

Subscribe to Our Blog

Posts By Topic

Get the latest insights, trends and security news. Subscribe to CyberheistNews.

Get the latest insights, trends and security news. Subscribe to CyberheistNews.