Top 7 Email Threats Targeting UAE Businesses in 2026

Email is still the dominant initial-access vector for UAE business compromise, despite years of investment in email-security tools. The threats have evolved. The crude phishing emails of 2018 are gone; what hits inboxes in 2026 is professionally crafted, often AI-assisted, frequently targeted, and increasingly business-process-aware. This guide is a practical walk through the seven email threats we triage most often in Dubai and Abu Dhabi, with the specific controls that stop each one.

1. Business Email Compromise (BEC)

What it looks like

An email purporting to be from the CEO, CFO, or a known supplier instructing the finance team to wire funds, change payment details, or update bank account information. The email may come from a lookalike domain (gritservices-ae.com instead of gritservices.ae) or, more dangerously, from a compromised legitimate account.

Why it works in the UAE

UAE business culture relies on rapid decision-making and chain-of-command authority. A CEO instructing the CFO to expedite a payment is a credible scenario. AI-assisted writing eliminates the grammatical tells of earlier years.

Controls that stop it

• DMARC at p=reject, with SPF and DKIM aligned. Lookalike-domain emails get rejected before delivery.
• Defender for Office 365 anti-impersonation rules covering named senior executives and finance contacts.
• Process control: any payment instruction received by email must be verbally verified through a known phone number (not the number in the email).
• Finance approval workflow that requires multi-party sign-off for changes to vendor bank details.

2. Credential phishing (Microsoft 365 login pages)

What it looks like

An email claiming "your mailbox is full," "your password expires today," or "shared document waiting for review" that links to a near-perfect replica of the Microsoft 365 login page. Captured credentials are immediately used to access M365, often with MFA-bypass techniques.

Why it works

The clone pages are visually indistinguishable from the real Microsoft 365 sign-in. Most users do not check the URL closely. Once credentials are captured, AiTM (adversary-in-the-middle) toolkits like Evilginx can capture session cookies to bypass MFA.

Controls that stop it

• Phishing-resistant MFA: FIDO2 security keys, Windows Hello for Business, certificate-based authentication. Replaces TOTP and SMS codes that AiTM can intercept.
• Conditional access policies that block sign-ins from unfamiliar IPs / locations / devices.
• Defender for Office 365 Safe Links to inspect URL destinations at click time.
• User reporting workflow: clear "Report Phishing" button in Outlook, with SOC ticket on every report.

3. Malware-laden attachments (HTML smuggling, OneNote, ISO)

What it looks like

Email with an attachment that bypasses standard scanning: HTML file that builds the malicious payload in the browser, a OneNote file with embedded scripts, or an ISO / IMG container with executables inside. Common payloads: Qakbot, IcedID, Bumblebee, AsyncRAT.

Why it works

Attackers rotate file formats faster than blocklists update. HTML smuggling and OneNote-based delivery became prevalent in 2024-2025 because they bypass macro-blocking that Microsoft introduced for Office files.

Controls that stop it

• Defender for Office 365 Safe Attachments with detonation chamber inspection.
• Attack Surface Reduction rules in Defender for Endpoint blocking execution of script content from email and downloads.
• Block uncommon attachment types at the email gateway (HTM, HTML, ISO, IMG, ONE by default for most users).
• EDR with behavioural detection to catch payloads that get through the email layer.

4. QR code phishing (Quishing)

What it looks like

Email containing a QR code in the body or attachment, prompting the user to scan it to "view a secure message," "reset MFA," or "access voicemail." Scanning takes the user to a phishing page on a personal device that is typically outside the corporate security perimeter.

Why it works

QR codes are rendered as images; URL-scanning tools miss them. The user moves to their mobile device to scan, taking them off the company's hardened laptop and into an environment with weaker controls (personal phone without conditional access).

Controls that stop it

• Email-security tooling with QR code recognition and URL extraction (Defender for Office 365 added this in 2024).
• Mobile device management (Intune) extending conditional access to phones used for business email.
• Security-awareness training that specifically covers QR code phishing.
• Anti-impersonation policies catching the brand the QR code claims to come from.

5. Supply-chain compromise (compromised vendor inboxes)

What it looks like

An email from a real, known supplier whose mailbox has been compromised. The email may reference a real outstanding invoice, ask for a payment redirect, or attach a malicious document that appears legitimate because the relationship is genuine.

Why it works

Sender domain is correct, sender identity is known, message context references real business. Every standard email-security control passes the message because there is nothing wrong with it from the recipient side. The compromise happened on the supplier's mailbox.

Controls that stop it

• Process control on vendor bank details: any change verified through a known phone number, never via the email channel.
• Defender for Office 365 anomaly detection flagging unusual content from known senders (very different writing style, urgency, attachment).
• Supplier security expectations: contract clauses requiring vendors to maintain MFA, EDR, and breach-notification obligations.
• Vendor risk-management programme; high-risk vendors get tighter controls.

6. Conversation hijacking

What it looks like

An attacker who has access to a compromised mailbox inserts themselves into an existing email thread, replying in the user's voice with a malicious link or attachment. Because the conversation is real and ongoing, the recipient has no reason to be suspicious.

Why it works

Highest-trust context. The conversation is genuine, the relationship is genuine, the timing makes sense. Pure technical filtering misses it; only behavioural anomaly detection catches it.

Controls that stop it

• Behavioural-anomaly detection (Defender for Office 365, third-party CASB) flagging unusual messages within existing conversations.
• EDR on the user's endpoint to catch the payload if the link or attachment is opened.
• Internal SOC monitoring for the compromise indicators (impossible-travel sign-ins, mailbox forwarding rules, suspicious sent items).
• User-awareness reminders that "the conversation looks normal" is not by itself a safety signal.

7. AI-assisted spear phishing

What it looks like

Highly personalised email referencing your role, your industry, your recent LinkedIn posts, the company you just announced as a client, a regulator notification specific to your sector. Written fluently in your business English with no obvious tells. Often arriving at moments of business stress (year-end close, audit period, after a public announcement).

Why it works

AI-assisted writing makes content indistinguishable from a competent human writer. Open-source intelligence (LinkedIn, company website, regulator announcements, press releases) provides the personalisation. Mass-scale targeted phishing at near-spear-phishing quality is now economically viable for attackers.

Controls that stop it

• Phishing-resistant MFA on every account that touches business systems.
• Defender for Office 365 with full pre-delivery inspection (anti-phishing, anti-impersonation, safe-links, safe-attachments).
• Security-awareness training that addresses how to verify high-stakes requests (call back through a known number, escalate to security team, check for urgency pressure).
• OSINT hygiene: review what your senior executives and finance team publish publicly; reduce the attack surface.

The five baseline controls every UAE business should have

If your business runs Microsoft 365 (which most UAE businesses do), the baseline email-security stack is:

1. DMARC at p=reject with SPF and DKIM aligned. Stops domain-spoofed phishing before it lands.
2. Defender for Office 365 Plan 2: anti-phishing, anti-impersonation, Safe Links, Safe Attachments, attack simulation training. Included in M365 E5 / Business Premium.
3. Phishing-resistant MFA: FIDO2 security keys or Windows Hello for the executive team and finance team at minimum.
4. Conditional access policies: device compliance required, location-based rules, sign-in risk policies.
5. Security-awareness training: quarterly phishing simulations with role-based micro-training.

None of these controls are exotic. The challenge is configuring them correctly and operating them continuously, which is where most UAE businesses fall behind.

FAQs

What is the single most effective control against email-based attacks?

Phishing-resistant MFA on every account. FIDO2 security keys defeat the AiTM credential-theft attacks that are now the dominant pattern. If you do nothing else, do this.

Is Microsoft Defender for Office 365 enough or do we need a third-party email gateway?

Defender for Office 365 Plan 2 is enterprise-grade and adequate for most UAE businesses. Third-party gateways (Mimecast, Proofpoint, Abnormal Security) add value at the high end for organisations with specific requirements or as a defence-in-depth layer. Start with Defender configured properly before adding a second gateway.

How often should we run phishing simulations?

Quarterly minimum. The goal is a trend (click rate over time, reporting rate over time) not a single number. Tie the simulations to role-based micro-training, not generic mass training.

What is DMARC and why does it matter?

DMARC (Domain-based Message Authentication, Reporting and Conformance) tells email receivers what to do when a message claims to come from your domain but fails SPF or DKIM checks. At p=reject, those messages are rejected before delivery, which kills domain-spoofed phishing. UAE business adoption of DMARC at p=reject is still low; if your domain is not at p=reject, that is the highest-impact email security action you can take this quarter.

How do we know if our mailbox has been compromised?

Indicators include impossible-travel sign-ins, new mailbox forwarding rules to external addresses, suspicious sent items the user does not remember, MFA reset events, unexpected app-consent grants. Microsoft 365 admins should monitor these continuously, ideally through a SOC.

If you want a free email-security audit covering DMARC, Defender for Office 365 configuration, MFA posture, and conditional access policies, contact us or call +971 56 613 2743. The audit runs in one week and delivers a written gap report with prioritised remediation.