Phishing Threat Trend Report

3,829 days - average domain age for phishing attacks getting through.

Between September 15, 2024 and February 14, 2025, there was a 49.9% increase in phishing emails sent from compromised accounts.

20% of phishing emails between September 15, 2024 and February 14, 2025 relied solely on social engineering.

Most polymorphic phishing emails are sent from compromised accounts (52%), followed by phishing domains (25%), and webmail (20%).

There was a 17.3% increase in phishing emails between September 15, 2024 and February 14, 2025 compared to the previous six months.

81.9% of phishing victims had their emails leaked in previous breaches.

The phishing hyperlink, malware, and social engineering payloads getting through traditional detection have surged, with phishing hyperlinks increasing by 36.8%, malware by 20%, and social engineering tactics by 14.2% compared to the previous six months.

The most common third-party platforms used for phishing were: • sendgrid.com • salesforce.com • amazonaws.com • sendlayer.com • mailgun.com • marketo.com.

Of 512 job application-related phishing emails, attackers targeted engineering (64%) roles, followed by finance (12%), HR (10%), IT (10%), product (2%), and others (2%).

25.9% of phishing emails between September 15, 2024 and February 14, 2025 contained attachments.

82.6% of all phishing emails analysed exhibited some use of AI.

In 2024, there was a 47% increase in phishing emails evading detection by Microsoft’s native security and secure email gateways.

There was a 22.6% increase in ransomware payloads.

New starters typically received a phishing email after 3 weeks.

On average, phishing emails contained 1058 characters (~188 words)

76.4% of all phishing campaigns now use polymorphic phishing tactics.

Ransomware payloads in phishing attacks have risen by 22.6% over six months, with a sharp 57.5% increase in just three months.

The top three words used in phishing emails: Urgent, Review, Sign.

There has been a 57.9% increase in phishing attacks being sent from compromised accounts getting through traditional detection.

The top cryptocurrencies demanded during extortion are: Bitcoin, Monero, XRP.

Job application-related phishing attacks are not only sent to individual accounts (24%) but also shared mailboxes (52%) and individual inboxes with activated delegate functions (21%) (e.g. a personal assistant has access to an executive’s inbox).

Between September 15, 2024 and February 14, 2025, there was a 11.1% incease in phishing emails sent from compromised email addresses within the supply chain.

Between September 15, 2024 and February 14, 2025, there was a 67.4% incease in the use of third-party platforms for phishing emails.

64% of phishing attacks are focused on engineering roles.