Recently, a sophisticated phishing attack has put companies on alert, especially those operating in the Middle East. Malicious actors managed to impersonate an ongoing email thread between high-level executives, using a phishing link that mimicked a Microsoft authentication form, demonstrating a clever execution of social engineering.
The Ingenious Identity Theft Technique
The attack began with a compromised sales manager account at a contracting company, allowing the insertion of a malicious message into a legitimate conversation. This tactic, which exploits trust and communication within organizations, has proven to be particularly effective, as attackers took advantage of genuine emails between employees to create an appearance of normalcy in their phishing emails.
Researchers have linked the incursion to an active campaign since December 2025, which has primarily targeted companies in the financial and energy sectors in the region. The investigation revealed the use of EvilProxy, a phishing tool that evades traditional detections, by introducing a proxy system that allows attackers to operate undetected.
This type of attack not only takes advantage of technical vulnerabilities but also crafts human workflows, making emails appear perfect, which makes them harder to detect by filtering systems like DMARC. As remote work becomes normalized and asynchronous approval processes become common, companies face an increased risk of compromises.
The importance of having adequate defense measures has grown significantly. Tools like ANY.RUN provide the ability to detect phishing behaviors in real-time, shortening response times to incidents and strengthening corporate cybersecurity.