Phishing surge targets Gulf after Iran-Israel tensions
Bitdefender has published research showing a 130% rise in phishing and malware campaigns targeting Gulf countries following the escalation involving Iran, Israel and the United States.
The research identified a clear turning point from February 28, when malicious email activity began climbing sharply. Within days, volumes had doubled and remained above previous levels, with peaks reaching nearly four times the earlier baseline.
The findings point to a sustained shift in attacker behaviour rather than a brief surge tied to a single event. Activity was concentrated in Gulf markets that offer pathways into financial and energy networks, as well as broader international trade links.
That focus has implications beyond the region. Australian organisations in defence, government, critical infrastructure and supply chains should pay attention, as similar methods can be redirected quickly to other countries and sectors.
Conflict themes
The report found attackers are relying on social engineering built around ordinary business processes rather than broad, generic spam. Typical lures include invoices, contract changes, banking messages and delivery notices, designed to appear routine within corporate email traffic.
Some emails impersonated financial institutions or government bodies. They referred to loan approvals, legal notices or urgent account actions to push recipients into responding quickly.
Bitdefender said this shift in style makes the attacks harder to spot because they mirror real workflows and current geopolitical conditions. Conflict-driven narratives, disrupted supply chains and financial uncertainty are now part of the social engineering approach.
Attack methods
Beyond the initial phishing stage, the research described broader use of multi-stage attack chains designed to maintain access and avoid detection. These campaigns used remote access trojans, spyware and fileless techniques run through PowerShell, allowing malicious activity to operate in memory with little forensic trace.
One campaign cited in the research used a fake invoice attachment to deliver an obfuscated Java-based remote access trojan. Once opened, the malware established persistence through startup folders and scheduled tasks while communicating with command-and-control infrastructure tied to domains referencing the conflict.
Bitdefender said these methods can help attackers maintain long-term access, move across networks and prepare for more complex activity. It did not attribute the campaigns directly to state-backed actors, but said the infrastructure, timing and themes showed how quickly cybercriminal groups can adapt to geopolitical events.
Australian risk
For Australian organisations, the findings reflect a broader pattern in which attackers use international instability to test and refine techniques before deploying them elsewhere. Sectors linked to defence supply chains, energy markets and international trade may face particular exposure because they already align with the commercial themes used in the campaigns.
The report suggests phishing remains the main route into more advanced compromises, even when later stages involve more sophisticated malware or stealth techniques. What changes is the wording, timing and context of the lure, not the underlying objective of stealing credentials, committing fraud or gaining access to business systems.
Bitdefender advised organisations to treat routine business emails with caution during periods of geopolitical tension. Unexpected attachments, compressed files and urgent requests should be checked through trusted channels, and links should be verified before opening.
It also advised keeping systems updated and using security tools that can detect fileless and multi-stage attacks, as phishing remains the main entry point for broader compromise.