While phishing threats are real, the modern workplace rarely looks like a place where danger arrives in a hoodie.
There are no flickering screens, no cinematic hackers typing at impossible speed. Instead, there are calendar invites that look routine, Teams messages that mimic a colleague’s tone, and emails that land mid-afternoon with just enough familiarity to slip past a second glance. The threat, increasingly, doesn’t announce itself. It just joins the meeting.
That’s the picture emerging from KnowBe4’s latest 2026 Phishing Threat Trends Report (Vol. 7), which points to a sharp escalation in how cybercriminals are operating – and where they’re choosing to show up.
The headline figure is hard to ignore: 86% of phishing attacks are now AI-driven. But the more unsettling shift isn’t just the use of artificial intelligence. It’s where those attacks are landing.
For years, phishing had a fairly predictable home base – the inbox. Now, that perimeter has quietly expanded. Microsoft Teams messages, shared calendars, and collaboration tools are increasingly part of the attack surface. In other words, the same platforms used to ask about deadlines or schedule meetings are now being used to stage them under false pretences.
It’s phishing, just with better social skills.
According to the report, there’s been a 17.1% increase in phishing attacks over the past six months alone, alongside a 49% rise in calendar invite phishing and a 41% surge in Microsoft Teams-based attacks. What used to feel like isolated attempts at deception is becoming more coordinated, more layered, and more familiar in tone.
One of the more telling shifts is the rise of internal impersonation, which now appears in 30% of attacks. Instead of pretending to be an external bank or unknown sender, attackers are increasingly posing as colleagues. The message doesn’t feel suspicious because it doesn’t feel foreign. It reads like something already part of the working day.
In many ways, that’s the point.
As Jack Chapman, SVP of Threat Intelligence at KnowBe4, notes, the inbox is no longer the only front line for social engineering. Cybercriminals are following workplace behaviour, embedding themselves in the same tools teams rely on to collaborate in real time. The attack no longer interrupts work – it blends into it.
And while email remains in play, the broader trend is unmistakable: phishing is no longer a single-channel problem. It’s becoming multi-channel by design.
The report highlights a 139% growth in the use of reverse proxies to steal Microsoft 365 credentials, alongside a growing reliance on coordinated tactics that span multiple platforms. Rather than relying on one convincing message, attackers are building sequences – messages that reinforce each other across email, messaging apps, and calendar systems to build trust over time.
Trust, in this context, is the real target.
Industries most affected include finance, legal, healthcare, logistics and insurance – sectors where information moves quickly and where collaboration tools sit at the centre of daily workflows. Hybrid work environments, particularly those built around Microsoft 365, are proving to be fertile ground for these kinds of attacks, largely because the tools themselves prioritise fast, seamless communication that cybercriminals now exploit.
Unfortunately, that same ease is what makes impersonation harder to spot.
There’s also a broader behavioural shift underway. The report suggests phishing is becoming more disciplined and persistent, rather than opportunistic. AI is playing a central role here, enabling attackers to scale their efforts while refining tone, timing, and targeting. Messages are less likely to feel generic and more likely to feel like they were written by someone who knows exactly how the organisation speaks.
In practice, that means the warning signs people were trained to look for – odd phrasing, obvious errors, unfamiliar senders – are becoming less reliable.
Chapman describes this evolution as a move toward increasingly targeted social engineering, where the distinction between legitimate and malicious becomes harder to define. When a calendar invite looks like it came from a manager, or a Teams message mirrors internal language patterns, hesitation tends to disappear.
And that hesitation – or lack of it – is often what determines whether an attack succeeds.
For many organisations across Australia and New Zealand, particularly those relying on Microsoft 365 and distributed teams, this shift exposes a gap between how security is traditionally framed and how work actually happens. Training and controls have historically centred on email. The threat environment no longer does.
Even the mechanics of attack have changed. A message is rarely just a message anymore. It can be a stepping stone – a calendar hold that leads to a credential request, or a Teams conversation that mirrors an internal approval chain. Each interaction is small on its own. Together, they build legitimacy.
The implication is not that existing security measures are obsolete, but that they’re increasingly incomplete if they stop at the inbox.
KnowBe4’s report positions this moment as a turning point: not just in how phishing is executed, but in how organisations need to think about presence, identity, and trust across digital workplaces. Security is no longer about filtering what comes in. It’s about recognising what already looks like it belongs.
The modern phishing attack doesn’t break down the door. It joins the meeting, sits quietly in the calendar, and waits for someone to say yes.
