One global cybersecurity firm’s user base showed malicious emails doubled after the US-Israel hostilities against Iran started on 28 February.

Recent research by a cybersecurity firm suggests that a recent sustained escalation in cyber activity is linked to ongoing geopolitical tensions, marked by a 130% increase in phishing and malware campaigns targeting Gulf nations since late February.

The pattern had intensified after renewed hostilities involving Iran, Israel, and the United States, with attackers rapidly adapting tactics to exploit the resulting instability.

Data indicates a sharp inflection point beginning 28 February, when malicious email volumes in the firm’s user base doubled in days and remained consistently higher for weeks. Also

  • At their peak, phishing messages in the user base reached nearly four times pre-conflict baselines, signaling a long-term operational shift rather than a short-lived surge.
  • Much of the activity targeted financial and energy infrastructure in the Gulf — industries directly tied to global trade and supply chains.
  • Attackers are applying more realistic social engineering, embedding lures within routine business correspondence such as invoices, contract renewals, and delivery notifications. Campaigns often mimicked legitimate institutions, including banks and government agencies, using procedural language and urgency to coerce quick action.
  • This focus on operational realism marks a shift from traditional “copy-paste” phishing to campaigns that replicate real workflows almost seamlessly.
  • The research also suggests increased reliance on multi-stage and fileless attack chains. Threat actors are deploying remote access trojans, spyware, and PowerShell-based payloads designed to execute in memory and evade detection.

One campaign utilized a fake invoice that deployed a Java-based trojan, establishing persistence via scheduled tasks and connecting to external infrastructure themed around current conflicts.

While direct attribution remains inconclusive, the timing, targeting, and technical patterns suggest both criminal and state-aligned actors are leveraging geopolitical unrest to refine and expand operations.

The findings come from Bitdefender, which warns that these methods can quickly extend beyond the Middle East to global defense, energy, and trade networks.