GCC firms rethink cyber defences as AI phishing surges

Collaboration platforms emerge as the new attack surface

Email remains an important vector, but attackers are increasingly following employees into the environments where modern work happens. KnowBe4 highlighted a 49% increase in calendar-based phishing attacks and a 41% rise in Microsoft Teams-related threats during the past six months, underscoring how collaboration platforms are becoming attractive targets.

According to the company, the behavioural dynamics of these tools create ideal conditions for abuse. “Collaboration tools like Teams have the ability to communicate with people outside the organisation, but the vast majority of contacts will actually be internal,” says Kraemer.

“This means people often do not operate with the same level of caution and rigour when communicating on the platform. We have trained ourselves to be suspicious of incoming emails, but users are often less switched on when using much faster-paced communications in chats.” 

The problem is compounded by limited visibility. “Attackers also know that collaboration tools are much less regulated and monitored. The majority of organisations have not yet put the required tools into place,” Kraemer adds. “As communication moves from email to other channels, organisations should treat these channels more or less the same.”

For GCC organisations undergoing rapid digital transformation – particularly across the government, energy, financial services and critical infrastructure sectors – this poses a significant challenge. Hybrid work models, cloud-first strategies and expanding collaboration ecosystems have increased exposure, while security controls have struggled to keep pace.

Identity becomes the new security perimeter

AI-powered attacks are also exploiting trust relationships inside organisations. KnowBe4’s research found that 30% of attacks now involve internal impersonation, while reverse proxy techniques designed to steal Microsoft 365 credentials have surged by 139%.

These attacks rely on fake portals that perfectly imitate legitimate login experiences, making detection increasingly difficult. “The stealing technique relies on proxy portals that look exactly like the real thing but are designed to steal credentials from the actual login process,” Kraemer explains. “The only giveaway might be the domain name.”

As a result, organisations are being encouraged to strengthen human verification skills alongside technical controls. “Train employees in domain verification,” the company advises.

Remote working environments require additional protection

Across the GCC, CISOs are increasingly directing investments towards identity-first architectures, adaptive access management and AI-enabled detection systems capable of recognising anomalous behaviour in real time. The trend reflects wider concerns across the region that stronger impersonation capabilities, including deepfake audio and video, are eroding traditional trust assumptions.

KnowBe4 states: “Encourage employees to use VPN [virtual private network] connections when working remotely so that network traffic analysis and monitoring can catch unusual activity, as malicious proxies attempt to leak credentials externally. Make sure network monitoring is prepared to detect related tactics, techniques and procedures.”

Shadow AI creates a second security challenge, while enterprises are also grappling with risks posed by AI adoption itself. As organisations across the Gulf accelerate AI initiatives in government services, smart cities, energy operations and enterprise automation, employees are increasingly using GenAI platforms that may introduce new attack surfaces or amplify the risk of information leakage.

KnowBe4 argues that security leaders need clearer governance frameworks rather than blanket restrictions. “Define clear usage policies across three categories: green, amber and red,” the company says.

“For the green category, organisations should use corporate monitoring and logging tools to secure approved applications while educating users on information risks. Amber tools should be available only to users with advanced usage approvals. Red-category tools should be prohibited, while clearly identifying acceptable alternatives.”

Monitoring AI activity should mirror privileged access management approaches. “Establish logging and monitoring for anomaly detection the same way you would treat privileged human accounts,” Kraemer adds. “Provision agent credentials using least-privilege principles.”

Rising investments as GCC cyber maturity evolves

The GCC cyber security market has entered an investment cycle driven by AI-enabled threats, digital sovereignty programmes and large-scale national transformation initiatives.

Governments across the region continue to invest heavily in cyber resilience, while enterprises are expanding budgets for identity security, AI governance, security operations automation and threat intelligence capabilities.

Security operations centres are also evolving. Analysts increasingly expect AI-assisted or agentic SOC models to become mainstream, enabling human teams to supervise automated investigation and response workflows that operate at machine speed.

The objective is no longer simply prevention – instead, GCC organisations are moving towards resilience-first security strategies built around continuous verification, identity protection and faster detection.

As attackers exploit collaboration platforms, AI tools and trusted identities, the Gulf’s cyber leaders appear to be reaching a common conclusion: in the AI era, security is becoming less about protecting networks and more about protecting people, behaviour and trust itself.