Insight, News, Vendor

Threat actors double down on emerging and proven tactics to outwit employees

Emile Abou Saleh, Senior Regional Director, Middle East, Turkey and Africa, Proofpoint.

Proofpoint, Inc., a leading cybersecurity and compliance company, today released its ninth annual State of the Phish report, revealing attackers are using both emerging and tried-and-tested tactics to compromise organisations. Among the organisations in the UAE that experienced attempted email-based phishing attacks, eight in 10 (86%) experienced at least one successful attack, 44% reporting direct financial losses as a result.

And while brand impersonation, business email compromise (BEC), and ransomware remained popular tactics among threat actors, cyber criminals also scaled up their use of less familiar attack methods to infiltrate global organisations.

This year’s State of the Phish report provides an in-depth overview of the real-world threats, as sourced by Proofpoint’s telemetry encompassing more than 18 million end-user reported emails and 135 million simulated phishing attacks sent over a one-year period. The report also examines perceptions of 7,500 employees and 1,050 security professionals across 15 countries, including United Arab Emirates revealing, startling gaps in security awareness and cyber hygiene that propagate the real-world attack landscape.

“While conventional phishing remains successful, many threat actors have shifted to newer techniques, such as telephone-oriented attack delivery and adversary-in-the-middle (AitM) phishing proxies that bypass multifactor authentication. These techniques have been used in targeted attacks for years, but 2022 saw them deployed at scale”, said Ryan Kalember, Executive Vice President, Cybersecurity Strategy, Proofpoint. “We have also seen a marked increase in sophisticated, multi-touch phishing campaigns, engaging in longer conversations across multiple personas. Whether it’s a nation state-aligned group or a BEC actor, there are plenty of adversaries willing to play the long game”.

Some of this year’s key findings include:

Cyber Extortion Continues to Wreak Havoc

Sixty – four percent of UAE organisations experienced an attempted ransomware attack in the past year, with 70% suffering a successful infection; yet almost two-thirds 61% regained access to their data after making the initial ransomware payment.

Most infected organisations paid up, and many did so more than once. Of the organisations impacted by ransomware, the overwhelming majority (90%) had a cyber insurance policy in place for ransomware attacks, and most insurers were willing to pay the ransom either partially or in full (87%). This also explains the high propensity to pay, with two-thirds (66%) of infected organisations paying at least one ransom.

End Users Fall Prey to Bogus “Microsoft” Emails

In 2022, Proofpoint observed nearly 1,600 campaigns involving brand abuse across its global customer base. While Microsoft was the most abused brand name with over 30 million messages using its branding or featuring a product such as Office or OneDrive, other companies regularly impersonated by cyber criminals included Google, Amazon, DHL, Adobe, and DocuSign. It’s worth noting that AitM attacks will display the organisation’s real login page to the user, which in many cases will be Microsoft 365.

Considering the volume of brand impersonation attacks, it’s alarming that 76% of employees indicate they think an email is safe when it contains familiar branding, and 82% think an email address always corresponds to the matching website of the brand. It’s no surprise to see that half of the 10 phishing simulation templates most used by Proofpoint customers were brand-impersonation related, which also tended to have high failure rates.

Business Email Compromise: Cyber Fraud Goes Global 

66% of organisations in the UAE reported an attempted BEC attack last year. While English is the most common language employed, some non-English-speaking countries are starting to see higher volumes of attacks in their own languages.

Insider Threats

Pandemic-related job mobility, coupled with post-pandemic economic uncertainty, has resulted in large numbers of workers changing or leaving jobs to the tune of one in four employees in the past two years. This job market trend makes data protection more difficult for organisations, with 72% of organisations in the UAE reporting they have experienced data loss due to an insider’s action. 40% of employees in the UAE  changed jobs in the last year, among which, nearly half (49%) admitted to taking data with them.

Threat Actors Scale Up More Complex Email Threats  

Over the past year, hundreds of thousands of telephone-oriented attack delivery (TOAD) and multi-factor authentication (MFA) bypass phishing messages were sent each day—ubiquitous enough to threaten nearly all organisations. At its peak, Proofpoint tracked more than 600,000 TOAD attacks—emails that incite recipients to initiate a direct conversation with attackers over telephone via bogus ‘call centres’—per day, and the number has been steadily rising since the technique first appeared in late 2021.

Cyber attackers now also have a range of methods to bypass MFA, with many phishing-as-a-service providers already including AitM tooling in their off-the-shelf phish kits.

Room for Improvement with Cyber Hygiene 

Threat actors always innovate, and once again this year’s report shows that most employees suffer security awareness gaps. Even basic cyber threats are still not well understood—more than a third of survey respondents cannot define “malware,” “phishing,” and “ransomware.”

In addition, only 64% of organisations in the UAE with a security awareness program train their entire workforce, and only 40% conduct phishing simulations—both critical components to building an effective security awareness program.

“People-centric cyberattacks pose the biggest risk to organisations and working adults in the Middle East. An effective and comprehensive cybersecurity awareness training program that adapts to the ever-evolving threat landscape is fundamental to building a strong security culture, as employees are increasingly accessing organisational data from multiple platforms, devices, and locations. Protecting data has never been more critical”, said Emile Abou Saleh, Senior Regional Director, Middle East, Turkey and Africa, Proofpoint. “Employees must understand that they play a critical role in preventing data breaches and this isn’t just an IT problem. As traditional working models evolve, the old ways of protecting data no longer work. Organisations will need to work together with their employees to up their game and adapt data loss prevention and insider risk solutions to protect endpoints, emails, cloud apps and the web”.

To download the State of the Phish 2023 report and see a full list of global and regional comparisons, please visit:

For more information on cybersecurity awareness best practices and training, please visit:

Previous ArticleNext Article


The free newsletter covering the top industry headlines