The global cyber threat landscape is undergoing a rapid transition. Threats that once centred on the email inbox have now moved deep into the organisation’s core infrastructure and identity layers.
Attackers are no longer simply trying to trick employees into clicking malicious links, but actively manipulating human trust, compromising identity systems and sabotaging recovery capabilities to ensure maximum operational disruption.
According to the Mandiant M Trends 2026 report, produced with Google Cloud Security, highly interactive voice-based social engineering now accounts for 11% of all initial intrusions, making it the second-most common infection vector globally.
This marks a decisive evolution in attacker behaviour, where instead of relying on mass-sent phishing emails, adversaries are calling employees directly, impersonating colleagues or IT support, and persuading them to reset passwords, approve MFA prompts, or grant access to sensitive systems.
“Voice-based phishing is effective because it targets the one control that attackers know they can still bypass – human trust.
Technical defences have improved, but people remain the most direct route into an organisation’s identity layer,” according to Mohamed Ashoor, Accelera Digital Group (ADG) Country Manager for Bahrain.
Why the Middle East is a Prime Target
The Middle East, with its concentration of high-value organisations in finance, high tech, energy and government, is experiencing this shift acutely.
The M-Trends 2026 data shows that high-tech organisations accounted for 17% of all observed incidents, with the financial sector close behind at 14.6%. These industries dominate the region’s economic landscape, making them attractive targets for adversaries seeking both financial gain and geopolitical leverage.
Compounding the challenge is the rise of sophisticated espionage groups. Globally, these groups have doubled in prevalence to 16%, prioritising long-term stealth and the exploitation of unmonitored edge devices. These devices – often routers, Internet of Things (IoT) sensors, remote access points and unmanaged appliances – sit outside traditional monitoring frameworks, giving attackers a foothold that can persist for months.
“The region’s digital transformation has been rapid, but that also means the attack surface has expanded. Edge devices, cloud identities and remote access systems are now the new battlegrounds,” says Ashoor.
The New Point of Failure
Voice phishing, or ‘vishing’, is not new, but this level of sophistication is.
Attackers now use real-time social engineering, AI-generated voice cloning, and detailed reconnaissance to manipulate employees into granting access. The M-Trends 2026 report shows that attackers frequently impersonate IT help desks, requesting password resets or multi-factor authentication (MFA) changes to take over accounts.
This is especially dangerous because identity-based attacks now cause over half of confirmed incidents worldwide. Once attackers access identity systems, they can move laterally, escalate privileges, and disable security controls, often without triggering alerts.
“Identity is the new perimeter, because when attackers compromise your identity layer, they don’t just get access, they also get legitimacy inside your environment,” Ashoor points out.
Recovery Sabotage – the Silent Crisis
The M Trends 2026 report warns that attackers are no longer just encrypting data – they are also crippling recovery by targeting backups, identity systems and virtualisation, creating a ‘recovery deadlock’.
These tactics are designed to leave organisations with no safe path to restoration, dramatically increasing downtime and forcing difficult negotiations.
“A production compromise is bad. But a compromise that also destroys your recovery capability is catastrophic. That’s the scenario attackers are now engineering,” Ashoor warns.
Disaster Recovery (DR) was built for physical failures, accidental outages and natural disasters, not for adversaries who deliberately sabotage recovery processes. DR assumes that backups are intact, identity systems are trustworthy, and recovery environments are uncompromised.
Cyber recovery, by contrast, assumes the opposite. It requires isolated, immutable recovery environments, decoupled identity and management layers, clean, verifiable backups stored outside the blast radius, automated rebuild processes for identity systems, and rigorous testing under adversarial conditions.
“Organisations must accept that identity and recovery are now strategic assets. You cannot rely on the same environment that was compromised to help you recover from that compromise,” says Ashoor.
Decoupling Identity and Management
A key recommendation in modern cyber resilience is separating identity from management. This ensures that if one system is compromised, the other is not automatically affected.
This approach is essential because attackers increasingly target identity providers first. In cloud environments, voice phishing was responsible for 23% of initial infection vectors, Mandiant’s report shows, making it the number-one entry point for cloud-related compromises.
To counter recovery sabotage, organisations must establish isolated, immutable recovery environments that cannot be altered by attackers during or after a breach.
This ensures that even if production systems are compromised, recovery remains possible. Recovery must be treated as a protected asset.
A New Era of Cyber Defence
The rise of voice-based phishing and recovery sabotage marks a turning point in cyber defence. Attackers are exploiting human trust, targeting identity systems, and undermining recovery capabilities with unprecedented precision.
For organisations in the Middle East – particularly in finance and high tech – the stakes could not be higher.
“Cyber resilience is no longer about preventing attacks. It’s about ensuring that when attackers get in, you can still recover. Identity, isolation and immutable recovery are now the pillars of modern defence.”
Stay Up to Date with the Latest Updates at Finance ME
Dubai Introduces Second Stimulus Package Totalling $408M
EDGE’s Rodrigo Torres on Risk, Sovereignty and Defence Finance in a Multipolar World
