Device code scams and AI-crafted lures fuel rise in identity-based cybercrimeLast updated: June 16, 2026 | 08:004 MIN READThe UAE Cybersecurity Council has reported that more than 75% of cyber breaches in the country begin with phishing emails or fraudulent messages, cementing credential theft as the single most common entry point for attackers. ShutterstockDubai: Credential phishing remains one of the most effective techniques in the cybercriminal toolkit, serving as the launchpad for everything from account takeovers and financial fraud to ransomware and corporate espionage.While the objective remains the same, cybersecurity experts warn that the methods used to steal these credentials have evolved dramatically.Get updated faster and for FREE: Download the Gulf News app now - simply click here.How credential attacks workA credential-based attack exploits stolen, guessed, or phished authentication credentials to gain unauthorised access to systems or data. “These attacks typically target usernames, passwords, tokens, or session keys to impersonate legitimate users and bypass defences. Credential attacks are amongst the most common types of attacks and are rising in volume and sophistication globally and in the UAE,” Haider Pasha, VP & Chief Security Officer (CSO), EMEA, Palo Alto Networks, told Gulf News.A credential-based attack exploits stolen, guessed, or phished authentication credentials to gain unauthorised access to systems or data. These attacks typically target usernames, passwords, tokens, or session keys to impersonate legitimate users and bypass defences. Credential attacks are amongst the most common types of attacks and are rising in volume and sophistication globally and in the UAE. Haider Pasha, VP & Chief Security Officer (CSO), EMEA, Palo Alto NetworksThe rise of device code phishingAccording to Kenan Abu Ltaif, Regional Lead for the Middle East and Turkey at Proofpoint, the sophistication of these attacks has shifted."Device code phishing is exploding across the threat landscape, with new device code phishing tools emerging every week," Ltaif stated.Unlike traditional phishing, which relies on tricking a user into typing their password into a fake form, device code phishing exploits legitimate authentication flows that users encounter daily."Instead, it exploits legitimate authentication flows... to capture tokens that give attackers persistent access to accounts even after passwords are changed. That's a meaningful evolution," Ltaif explained.To lower a target's guard, attackers are increasingly leveraging trusted contexts. "By impersonating HR teams, government entities, and widely used platforms like DocuSign and Microsoft, cybercriminals eliminate the typical red flags that might otherwise cause an employee to pause," he said.Attackers are also increasingly leaning into trusted contexts to lower a target's guard. Impersonation of HR teams, government entities, and familiar platforms like DocuSign and Microsoft removes the friction that might otherwise make someone pause. Kenan Abu Ltaif, Regional Lead, Middle East and Turkey at ProofpointSuppliedKenan Abu Ltaif Regional LeadOne hacked account threatens everyoneGlobally, the fallout from a single compromised corporate account has escalated. Research from Proofpoint reveals that in 83 per cent of confirmed account takeover cases, attackers did not stop at initial access. "Instead, they utilised the compromised account to launch secondary attacks - impersonating the account owner to target colleagues, external partners, and suppliers. Consequently, a stolen credential is no longer isolated to a single person's inbox, it serves as a dangerous foothold into the entire connected business ecosystem," Ltaif, said. Microsoft 365 dominates roughly 77 per cent of the business market, making it a prime target for hackers."Compromising just one Microsoft account gives attackers access to far more than email," Ltaif noted. "They get into files, internal chats, calendars, and connected business systems through a single identity."This vulnerability is heavily exploited through device code phishing. The tactic manipulates a real Microsoft login feature, originally designed to help users sign in easily on devices without full web browsers. By abusing this legitimate process, hackers make their fake login requests look completely authentic.UAE organisations face higher breach rates The scale of identity-based cybercrime in the region is reflected in recent data. A study from CyberArk, a Palo Alto Networks company, revealed that 92 per cent of UAE organisations experienced at least three successful identity-related breaches in the 12 months leading up to April 2026. This figure is notably higher than the EMEA (Europe, the Middle East, and Africa) average of 80 per cent."A credential-based attack exploits stolen, guessed, or phished authentication credentials to gain unauthorised access to systems or data. These attacks typically target usernames, passwords, tokens, or session keys to impersonate legitimate users and bypass defences," Pasha, noted.How to protect yourselfAs credential attacks grow in volume and sophistication across the UAE, defending corporate and personal data requires heightened vigilance.Pasha explained that as cyberattacks become more complex, individuals must adopt strict digital hygiene. This includes:Use unique passwords: Never reuse the same password across different accounts.Turn on Multi-Factor Authentication (MFA): Always use extra security checks (like a code sent to your phone) whenever available.Watch out for urgency: Be highly suspicious of unexpected emails or calls that demand you act immediately.The integration of emerging technologies has further complicated the threat landscape. "This type of social engineering attack has increased as cybercriminals use generative AI to help craft plausible ruses to steal data and credentials, making it vital for individuals to remain vigilant," Pasha, said. Also In This PackageRelated Topics:Get Updates on Topics You ChooseUp Next