KnowBe4’s Phishing Threat Trends Report Volume Seven painted a worrying picture of how cybercriminals are upgrading social engineering from a single-click nuisance into a coordinated, multi-channel operation. The headline figure is stark: the report finds that 86% of phishing attacks are AI-driven.
For CISOs, the change is not merely “more phishing”. It is a shift in where phishing happens and how it is orchestrated. Jack Chapman, SVP of Threat Intelligence at KnowBe4, warned that “the inbox is no longer the only front line” for coordinated social engineering. Attackers are abandoning the idea that an email is the whole battlefield.
Collaboration flows become the new battlefield
Instead, attackers are inserting themselves into collaboration flows – using calendar invitations and messaging tools – to blend into everyday work routines. KnowBe4’s own metrics show that attackers are escalating with discipline and persistence. Over the last six months, the report highlights a 49% increase in calendar invite phishing, and a 41% escalation in Microsoft Teams attacks.
At the credential theft layer, it also flags a 139% surge in the use of reverse proxies to steal Microsoft 365 credentials – an approach that can make malicious authentication flows harder to spot and easier to funnel through infrastructure that appears legitimate.
This matters because modern phishing increasingly behaves like an operational campaign, not a one-off lure. The report describes a move from single-vector attacks to multi-channel orchestration, where an organisation’s real-time tools (Teams, calendars, chat workflows) are leveraged to increase the likelihood of trust-based mistakes.
Internal impersonation rises
Even more concerning is the report’s evidence of targeting at the human layer: internal team impersonation appeared in 30% of attacks in Q1 2026, according to KnowBe4’s findings. The outcome is not only higher volume but higher credibility – messages that look as if they belong inside the organisation.
Third-party coverage reinforces the broader direction of travel. The Register summarised KnowBe4’s findings on AI-driven phishing and the growth in calendar and Teams-based lures, framing it as a modern phishing shift consistent with “AI-powered” campaign tactics.
Identity as the new perimeter
Darren Guccione, CEO and Co-founder, Keeper Security says the Knowbe4 confirms what security teams across Southeast Asia are already beginning to feel: phishing has evolved beyond the inbox.
He noted that calendar invite phishing is up 49%, Microsoft Teams attacks have escalated 41%, and the use of reverse proxies to steal Microsoft 365 credentials – techniques that capture active session tokens and bypass MFA entirely – has surged 139% in the past six months alone. In nearly a third of attacks, threat actors are now impersonating trusted colleagues from inside the organisation.
For organisations across Southeast Asia operating in hybrid Microsoft 365 environments, Guccione argued this reflects a deliberate shift in attacker strategy. “The collaboration tools that define how modern organisations work have become the new social engineering surface, and most existing security controls were simply not built for that reality.”
He added that the organisations navigating this most effectively are those that have stopped thinking about security in terms of channels and started thinking about it in terms of identity.
“When every user, device and session is continuously verified, when credentials are unique and never reused, and when privileged access is time-limited and fully audited, the attack surface that these campaigns depend on simply stops existing. AI has made social engineering faster and more convincing – but it has not changed what attackers are ultimately after. Credentials are still the prize, and identity is still the perimeter that matters most.” Darren Guccione
The ‘Agentic shift' and multi-channel social engineering
KnowBe4’s findings strongly corroborate the macro-level data Check Point is seeing in its 2026 Cyber Security Report, particularly regarding how attackers are scaling operations and bypassing traditional perimeters.
Check Point Software Technologies CISO, Jayant Dave says that 86% of phishing attacks are now AI-driven is, in Dave’s words, “a stark reality check”. AI is a 'force multiplier' that has eliminated the human bottleneck, enabling highly targeted, culturally precise campaigns at unprecedented scale.
The 41% surge in Teams attacks and 49% increase in calendar invite phishing highlight a critical blind spot. Check Point’s telemetry points to “Multi-Channel Social Engineering” as a defining trend, with attackers targeting enterprise collaboration platforms such as Teams and Slack as “high-trust attack surfaces” where users are off guard.
Dave noted that Check Point is also seeing attackers combine proxy tactics with new methods such as “ConsentFix”, which tricks users into handing over OAuth authorisation codes to bypass MFA entirely.
Additionally, that 30% of attacks now involve internal team impersonation aligns with the surge in sophisticated impersonation tactics tracked globally. Dave observed that threat groups such as Scattered Spider and ShinyHunters frequently conduct deep reconnaissance to impersonate IT support or executives, increasingly using real-time vishing alongside text-based channels.
Finally, Dave noted that while KnowBe4’s industry breakdown (finance, legal, healthcare, logistics) is consistent with global patterns, Check Point’s telemetry currently ranks the education sector as the most attacked industry – facing over 4,300 weekly attacks – due to its wealth of personal data and open network policies.
Human error remains the weak point – compounded by AI
George Lee, Senior Vice President, Asia Pacific & Japan, Proofpoint
Proofpoint senior vice president for Asia Pacific and Japan, George Lee said the emergence of frontier AI models such as Mythos marks a structural shift in how attacks are conceived, built and deployed, compressing the time window between discovery, weaponisation and impact. However, he cautioned that software vulnerability exploits alone do not define the modern threat picture.
Across the Asia Pacific, financially motivated cybercrime is escalating, dominated by industrialised phishing, credential harvesting and cross-border fraud schemes. According to Proofpoint’s 2025 Voice of the CISO report, two in three APAC CISOs identified human error as their organisation’s greatest vulnerability.
The risks are compounding at the AI layer. Proofpoint’s 2026 AI and Human Risk Landscape Report found that 86% of organisations in APAC have deployed AI assistants beyond the pilot stage, and 74% are piloting or rolling out autonomous agents – yet 54% are not fully confident their controls would detect a compromised AI.
Moreover, Lee noted that AI does not just introduce new risks; it amplifies existing human-risk problems across email, SaaS, cloud applications and collaboration tools.
For Asia Pacific organisations, Lee argued this creates a dual reality: exploit-driven risk will rise sharply, but human-centric attacks amplified by AI will remain dominant. “Cybersecurity must focus on prevention and resilience, where intent-based protection for every human and AI workflow becomes the critical control point.”
Strategic implications for CISOs
For CISOs, the strategic implication is clear: defence cannot be inbox-only. It must cover user decision points across the workday, harden identity and authentication paths, and ensure that both humans and AI-mediated work processes are treated as part of the threat surface – exactly the “secure humans and the AI agents they utilise” theme Chapman emphasised.
