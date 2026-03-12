Rapid evolution of threats highlight inability of traditional email security to keep pace
For decades, email has been the backbone of corporate communications and for precisely this reason, it remains the attacker’s preferred gateway into organizations. Phishing, Business Email Compromise (BEC), and supply chain attacks continue to increase, with adversaries using AI and compromised accounts to bypass classic protection mechanisms. The rapid evolution of threats presents significant challenges for CISOs, IT Directors, and SOC teams, highlighting the inability of traditional email security to keep pace.
In regions such as the Middle East, these risks are often amplified during major holiday periods such as Eid, when organisations operate with reduced staffing, decision-makers are on leave, and out-of-office (OOO) auto-replies are widely enabled. Attackers are acutely aware of these patterns and actively exploit them.
It is striking how much attacks have changed in the past year. On the one hand, the volume of phishing is noticeably increasing, especially in campaigns against finance departments, IT administrators, and executives. On the other hand, AI ensures that attacks appear more convincing: emails can be created in the style of internal communication, content is personalized and rolled out on a large scale – right up to context-aware phishing and multilingual BEC attempts.
At the same time, many attacks today no longer originate from ‘obviously’ malicious sources, but from legitimate, yet compromised, sender accounts. This makes detection significantly more difficult, as reputation and domain signals suddenly look clean. In addition, the focus is shifting from attachments to URL-based attacks. Links lead to prepared login pages, fake cloud portals, or malware infrastructure and often change so quickly that signature-based methods fail. It becomes particularly delicate when supply chain phishing occurs via trusted third-party systems, and legitimate domains are abused for distribution. The result: even organizations with supposedly solid email security see dangerous messages landing in their inboxes.
Stay updated: Get the latest faster by downloading the Gulf News app - it's completely free. Click here for Apple or here for Android. You can also find it on the Huawei AppGallery.
Major holiday periods such as Eid create particularly favourable conditions for social-engineering attacks. During these times, employees commonly activate OOO auto-replies that disclose valuable contextual information, including absence dates, internal reporting structures, and alternate contacts.
Security researchers have documented how attackers deliberately send “scouting emails” to trigger OOO responses, then use the information gathered to impersonate absent employees or named alternates in follow-up attacks. These impersonation attempts frequently target colleagues with urgent requests to review documents, click links, or approve payments while normal verification processes are disrupted .
This risk is compounded by the fact that many organisations operate with lighter staffing during Eid, particularly within finance and operations teams. Microsoft threat intelligence has previously noted that attackers often increase activity during holiday periods, when vigilance is reduced and urgent requests are more likely to bypass scrutiny.
When combined with AI-generated language that perfectly mimics writing style and tone, BEC emails sent during holidays become significantly harder for employees to detect.
Traditional Secure Email Gateways (SEGs) rely heavily on static rules, signatures, domain reputation and known attack indicators. While they can block commodity attacks, they often struggle with modern phishing patterns. For instance, AI-generated content is unique, making signature-based detection ineffective. In addition, the BEC attacks that can catch employees out to make money transfers or to buy gift cards don’t actually contain links or attachments, so would appear benign to an SEG.
Furthermore, compromised real accounts use clean infrastructure, bypassing domain-based filtering and malicious URLs can evade traditional scanning by changing rapidly. The bottom line is static policy-based systems can’t adapt fast enough to attacker iteration.
At the same time, the market is shifting: more organizations are moving away from expensive, legacy SEG appliances and consolidating email under Microsoft 365. Native tools like Exchange Online Protection (EOP) are solid foundations but not enough alone for today’s threat landscape.
A modern defense principle relies not only on known signatures but also on behavioral and contextual signals. For example, it checks whether the writing style matches the sender. Is the message unusual for this relationship? Is a domain behaving differently? Does a URL seem suspicious in its intent or behavior? This focus on plausibility addresses the attack forms that classic filters often overlook. For example, AI-supported phishing, BEC without payload, Vendor Email Compromise, zero-day phishing, or malicious links in seemingly innocuous messages. Crucially, this detection continuously learns and adapts to organization-specific patterns as well as global threat intelligence, instead of just processing static rules. Additionally, fast review and remediation workflows are important to reduce alert fatigue and improve response times.
Even with advanced behavioral AI in place, attackers still target people. A strong security culture reinforced by awareness, simulated phishing, and real-time teachable moments remains essential. Resilient email security requires both technical protective measures and human risk management.
As organisations across the Middle East prepare for Eid holidays, this period should be viewed not just as a time of celebration, but also as a moment to reassess defensive readiness. Minimising externally visible OOO information, reinforcing verification procedures for financial and access requests, and ensuring employees remain vigilant are practical steps that significantly reduce exposure.
As attackers continue to evolve, defence strategies must evolve with them. Organisations that combine layered, behaviour-based AI email security with strong security awareness programmes will be best positioned to withstand the next generation of phishing, BEC, and social-engineering attacks — during Eid and throughout the year.
Moreover, the current conflict across the Middle East and Gulf adds a further dimension to these risks. Crisis periods accelerate exactly the conditions attackers exploit, from skeleton staffing and distracted decision-makers to heightened emotional uncertainty. This is already playing out in the region, with Dubai Police recently warning of scammers impersonating government officials and exploiting the conflict to steal UAE Pass credentials and Emirates ID information from residents. For organizations in the region, the window of risk has become a door that never closes.
- The writer is CISO Advisor at KnowBe4