Credential phishing remains one of the most effective techniques in the cybercriminal toolkit, serving as the launchpad for everything from account takeovers and financial fraud to ransomware and corporate espionage.

In the UAE, identity-based cybercrime has experienced a significant rise over the past year. According to data from the UAE Cybersecurity Council, more than 75 per cent of cyber breaches in the country originate from phishing emails or fraudulent messages. This statistic highlights just how foundational credential theft remains as an initial entry point into corporate networks.

While the objective remains the same, cybersecurity experts warn that the methods used to steal these credentials have evolved dramatically.

How credential attacks work

A credential-based attack exploits stolen, guessed, or phished authentication credentials to gain unauthorised access to systems or data. 

“These attacks typically target usernames, passwords, tokens, or session keys to impersonate legitimate users and bypass defences. Credential attacks are amongst the most common types of attacks and are rising in volume and sophistication globally and in the UAE,” Haider Pasha, VP & Chief Security Officer (CSO), EMEA, Palo Alto Networks, told Gulf News.

The rise of device code phishing

According to Kenan Abu Ltaif, Regional Lead for the Middle East and Turkey at Proofpoint, the sophistication of these attacks has shifted.

“Device code phishing is exploding across the threat landscape, with new device code phishing tools emerging every week,” Ltaif stated.

Unlike traditional phishing, which relies on tricking a user into typing their password into a fake form, device code phishing exploits legitimate authentication flows that users encounter daily.

“Instead, it exploits legitimate authentication flows… to capture tokens that give attackers persistent access to accounts even after passwords are changed. That’s a meaningful evolution,” Ltaif explained.

To lower a target’s guard, attackers are increasingly leveraging trusted contexts. “By impersonating HR teams, government entities, and widely used platforms like DocuSign and Microsoft, cybercriminals eliminate the typical red flags that might otherwise cause an employee to pause,” he said.

One hacked account threatens everyone

Globally, the fallout from a single compromised corporate account has escalated.

Research from Proofpoint reveals that in 83 per cent of confirmed account takeover cases, attackers did not stop at initial access.

“Instead, they utilised the compromised account to launch secondary attacks – impersonating the account owner to target colleagues, external partners, and suppliers. Consequently, a stolen credential is no longer isolated to a single person’s inbox, it serves as a dangerous foothold into the entire connected business ecosystem,” Ltaif, said.

Microsoft 365 dominates roughly 77 per cent of the business market, making it a prime target for hackers.

“Compromising just one Microsoft account gives attackers access to far more than email,” Ltaif noted. “They get into files, internal chats, calendars, and connected business systems through a single identity.”

This vulnerability is heavily exploited through device code phishing. The tactic manipulates a real Microsoft login feature, originally designed to help users sign in easily on devices without full web browsers. By abusing this legitimate process, hackers make their fake login requests look completely authentic.

UAE organisations face higher breach rates 

The scale of identity-based cybercrime in the region is reflected in recent data. A study from CyberArk, a Palo Alto Networks company, revealed that 92 per cent of UAE organisations experienced at least three successful identity-related breaches in the 12 months leading up to April 2026. This figure is notably higher than the EMEA (Europe, the Middle East, and Africa) average of 80 per cent.

“A credential-based attack exploits stolen, guessed, or phished authentication credentials to gain unauthorised access to systems or data. These attacks typically target usernames, passwords, tokens, or session keys to impersonate legitimate users and bypass defences,” Pasha, noted.

How to protect yourself

As credential attacks grow in volume and sophistication across the UAE, defending corporate and personal data requires heightened vigilance.

Pasha explained that as cyberattacks become more complex, individuals must adopt strict digital hygiene. This includes:

• Use unique passwords: Never reuse the same password across different accounts.
• Turn on Multi-Factor Authentication (MFA): Always use extra security checks (like a code sent to your phone) whenever available.
• Watch out for urgency: Be highly suspicious of unexpected emails or calls that demand you act immediately.

The integration of emerging technologies has further complicated the threat landscape. “This type of social engineering attack has increased as cybercriminals use generative AI to help craft plausible ruses to steal data and credentials, making it vital for individuals to remain vigilant,” Pasha, said. 

GN