Identity-based cybercrime rises as device code scams and AI-crafted phishing spread.
Dubai: Credential phishing continues to be one of the most widely used tools in the cybercriminal arsenal, acting as the entry point for a range of attacks including account takeovers, financial fraud, ransomware incidents and corporate espionage.
In the United Arab Emirates, identity-based cybercrime has seen a notable increase over the past year. Data from the UAE Cybersecurity Council indicates that over 75 per cent of cyber breaches in the country begin with phishing emails or fraudulent messages, underscoring how central credential theft remains as an initial gateway into corporate systems.
While the end goal of attackers has largely stayed the same, cybersecurity experts warn that the techniques used to obtain credentials have evolved significantly in sophistication, making detection and prevention increasingly challenging.
How credential attacks work
A credential-based attack involves the use of stolen, guessed or phished login details to gain unauthorised access to systems or sensitive data.
These attacks typically focus on compromising usernames, passwords, authentication tokens or session keys in order to impersonate legitimate users and bypass security controls. As Haider Pasha, VP & Chief Security Officer for EMEA at Palo Alto Networks, explained, credential attacks remain among the most common forms of cyber intrusion and are increasing both in frequency and sophistication globally, including in the UAE.
The rise of device code phishing
Experts say the nature of these attacks is also evolving rapidly.
According to Kenan Abu Ltaif of Proofpoint, device code phishing is becoming a fast-growing threat, with new malicious tools appearing regularly across the cybercrime ecosystem.
Unlike traditional phishing methods that rely on fake login pages to trick users into entering passwords, device code phishing exploits legitimate authentication processes that users already trust and use in everyday digital services.
“Instead, it exploits legitimate authentication flows to capture tokens that can give attackers persistent access to accounts, even after passwords are changed. That represents a significant evolution in the threat landscape,” Ltaif explained.
To further reduce suspicion, attackers are increasingly using trusted and familiar contexts. “By impersonating HR departments, government agencies, and widely used services such as DocuSign and Microsoft, cybercriminals are able to remove many of the usual warning signs that would normally prompt an employee to stop and question the message,” he added.
Attackers are also increasingly relying on trusted contexts to lower victims’ guard. Impersonating HR departments, government agencies, and widely used platforms such as DocuSign and Microsoft helps remove the usual warning signs that might otherwise make a user hesitate.
As Kenan Abu Ltaif explained, this approach reduces friction in the interaction, making phishing attempts feel routine and legitimate rather than suspicious or unusual.
One hacked account threatens everyone
Globally, the impact of a single compromised corporate account has grown significantly, with attackers increasingly using initial access as a gateway for broader intrusions.
Research from Proofpoint shows that in 83 per cent of confirmed account takeover incidents, attackers do not stop after gaining access.
As Kenan Abu Ltaif explained, compromised accounts are often weaponised for secondary attacks. “Instead, they utilised the compromised account to launch secondary attacks—impersonating the account owner to target colleagues, external partners, and suppliers. Consequently, a stolen credential is no longer isolated to a single person’s inbox; it becomes a dangerous foothold into the entire connected business ecosystem,” he said.
The risk is amplified by the dominance of workplace platforms such as Microsoft 365, which accounts for roughly 77 per cent of the business market, making it a high-value target for cybercriminals seeking broad organisational access.
“Compromising a single Microsoft 365 account gives attackers far more than just email access,” Ltaif noted. “They can reach files, internal chats, calendars, and connected business systems through one identity.”
He added that this vulnerability is increasingly being exploited through device code phishing. The technique abuses a legitimate Microsoft login feature designed to simplify sign-ins on devices without full web browsers. By hijacking this normal authentication flow, attackers are able to make fraudulent login requests appear genuine, significantly increasing the likelihood of user trust and successful compromise.
UAE organisations face higher breach rates
The scale of identity-based cybercrime in the region is reflected in recent data. A study by CyberArk, a company within the Palo Alto Networks ecosystem, found that 92 per cent of United Arab Emirates organisations experienced at least three successful identity-related breaches in the 12 months leading up to April 2026.
This figure is significantly higher than the EMEA average of 80 per cent, highlighting a sharper exposure to identity-driven cyber risks across UAE enterprises compared to the broader region.
How credential attacks work
A credential-based attack involves the use of stolen, guessed or phished authentication details to gain unauthorised access to systems or data. These attacks typically target usernames, passwords, authentication tokens or session keys, allowing attackers to impersonate legitimate users and bypass security defences, as noted by Haider Pasha.
How to protect yourself
As credential attacks continue to rise in both volume and sophistication across the United Arab Emirates, experts say stronger digital hygiene is essential to protect both personal and corporate data.
Pasha outlined several key precautions:
- Use unique passwords: Avoid reusing the same password across multiple accounts to limit exposure if one account is compromised.
- Enable Multi-Factor Authentication (MFA): Add an extra verification step, such as a one-time code sent to a phone, wherever possible.
- Be alert to urgency tactics: Treat unexpected messages or calls demanding immediate action with caution, as urgency is a common manipulation technique.
He also warned that the growing use of emerging technologies is reshaping the threat landscape. “This type of social engineering attack has increased as cybercriminals use generative AI to help craft plausible ruses to steal data and credentials, making it vital for individuals to remain vigilant,” Pasha said.
