When you hear the word zombie, you probably think of something that’s dead, but still walking around, looking disturbingly alive. In the digital world, zombie phishing works the same way: attackers resurrect old email threads to spread malware or steal credentials, hiding danger inside something that looks completely normal.
These malicious “undead” email messages nudge you to “click here to view the full update” or open an attachment. Why not? It’s part of a familiar conversation, from a trusted contact. But behind that link or file is malicious content that can compromise your organization’s defenses.
Zombie phishing is an ever-growing menace that exploits trust in ways traditional security tools struggle to catch.
What Is Zombie Phishing?
Zombie is a stealthy type of phishing attack that hides amongst your many emails like a wolf in sheep’s clothing. Here’s how it works:
The phisher compromises a real email account, usually through phishing, weak passwords, or lack of MFA. Now they control a legit, trusted account.
Then they scan old emails, looking for existing threads, especially ones with multiple people or unfinished business.
They revive an email thread by replying to a real message with something like: “See the attached update” or “Please review this doc.” The email looks normal because it’s part of a familiar conversation.
They add a malicious payload, which might include a link to a fake login page or a malicious attachment. Since the message is sent from a real account, it bypasses most security filters.
The victim falls for it because they recognize the sender and click. Here they might enter their credentials, download malware, or open a path into the organization.
The attack spreads, and new victims may have their accounts compromised too. The attacker keeps reusing threads, creating new “zombies” to spread the attack further.
Who Should Be Worried?
No one’s immune, but some are in the crosshairs more so than others. Small and medium-sized businesses (SMBs) often lack the robust security budgets of enterprises, making them prime targets. The Cybersecurity and Infrastructure Security Agency warns that SMBs account for 43% of cyberattack victims, with email as the top vector.
Larger organizations aren’t safe either, especially those in finance, healthcare, and manufacturing, where supply chain relationships and high-value transactions create juicy opportunities. Employees at all levels, from receptionists to C-suite executives, must stay vigilant, but finance and HR teams, gatekeepers of funds and sensitive data, are significant targets.
Steps to Fight Back
You can’t just hope your employees will spot every zombie in your inbox, and prevention demands a layered approach, technical, procedural, and human. Here’s how to start:
Lock Down Accounts with Multi-Factor Authentication (MFA):CISA reportsthat MFA blocks 99.9% of account takeover attempts. Make it mandatory for every email login, with no exceptions. A second verification step can stop attacks, even if they snag passwords.
Train the Human Firewall: Awareness is your best defense. Regular training (quarterly refreshers, for example) should teach staff to spot red flags: sudden urgency, odd tone shifts, or unexpected links in old threads. Security awareness training focuses on familiarizing employees with various cyber threats, such as phishing scams, malware, ransomware, and social engineering tactics, aiming to instill a culture of security mindfulness among staff.
Verify Before You Act: Establish a golden rule: no wire transfers or data shares without voice or face-to-face confirmation. The FBI’s IC3emphasizes that this simple step could’ve thwarted countless business email compromise (BEC) scams. Email alone isn’t enough.
Monitor and Audit Email Activity: Establish alerts for unusual logins or email forwarding rules, which are common indicators of a compromised account. Implement logging and alert features to detect suspicious logins, unauthorized forwarding rules, and unusual email activity. These measures ensure that potential threats are identified and investigated promptly, preventing significant harm. Email security solutions, such as Secure Email Gateways (SEG) and Integrated Email Security (IES) applications, are crucial for businesses to combat these attacks. These tools offer real-time monitoring and alerting for suspicious activities, enabling the early detection of compromise before attackers can inflict substantial damage.
Up-to-Date Patches and Update Relentlessly: Keep email platforms and endpoints patched and current. Attackers exploit gaps in unpatched systems to plant malware or harvest credentials. Up-to-date patches are critical to robust security, so vulnerabilities are tackled while reducing malware infections and credential theft. Endpoint Detection & Response (EDR) solutions also provide comprehensive reporting features.
The Road Ahead
Zombie phishing isn’t going away, it’s evolving. With AI now powering 43% of phishing attacks, expect more convincing fakes than ever. VIPRE’s latest threat intelligence shows a 74% rise in non-signature-based threats and a 10% increase in BEC attacks, signaling that cybercriminals are getting smarter and stealthier.
You must adapt and blend defenses with a culture of caution, regular security awareness training, and patch management to ensure vulnerabilities are addressed proactively. Security solutions that deliver real-time insights into emerging threats and integrate email security tools add another layer, monitoring email environments for suspicious logins, unauthorized forwarding rules, and unusual activity. These log and alert features allow teams to investigate potential threats before they escalate into breaches.
It’s not just about protecting data or dollars; it’s about preserving trust in the tools we rely on every day.
Zombie email defense requires preserving trust in the tools we rely on daily. The zombies are out there, potentially lurking in your inbox. The question remains: Are you ready to fight back?
VIPRE Security Group, a global leader and award-winning cybersecurity, privacy, and data protection company, has released its Q3 Email Threat Landscape Report.
Processing and analysing 1.8 million emails, this report highlights the most critical email security threat trends identified in Q3 2025, to help organizations strengthen their email defense strategies against the creative, sophisticated, and highly targeted tactics of threat actors, designed to circumvent traditional cybersecurity measures.
Commercial clutter, the perfect cover for cyberthreats
Legitimate but “spammy” commercial messages dominated this quarter at 60%, up 34% year-on-year. Phishing messages rose to 23% from 20%, while scams dropped to 10% from 34%. This flood of routine commercial clutter is designed to desensitize even the most security-conscious users, making malicious emails blend seamlessly into the noise. When inboxes overflow with legitimate-looking messages, users become less vigilant about what they click on.
Overall, more than a third of all spam emails are maliciously designed to cause harm, encompassing phishing attempts, scams, and malware.
Cold outreach marketing and shotgun list bombing dominate commercial spam
Within the 60% commercial spam category, cold outreach marketing emails dominated with 72% of the cases. List bombing claimed another 16%, a tactic where attackers maliciously subscribe victims to hundreds or thousands of mailing lists, newsletters, or promotional sign-ups simultaneously, flooding their inboxes with unwanted content. This overwhelming deluge frustrates users but serves as the perfect smokescreen for concealing genuine threats among the chaos.
Newly registered domains on the rise for phishing, but open redirects preferred
Threat actors increasingly registered large numbers of domains to launch temporary phishing sites, quickly deactivating them upon discovery to evade detection and blacklisting. This trend stresses that traditional blacklisting of email domains and signature-based detection measures alone are inadequate.
However, despite the success of newly registered domains, compromised URLs or open redirects remain attackers’ preferred phishing vector, employed in 80% of campaigns. Newly registered domains account for only the remaining 20%, but is a trend to watch.
Outlook and Google mailboxes top targets for credential harvesting
Attackers are concentrating their efforts on the world’s two largest business and personal email platforms, Outlook and Google, which today form 90% of observed phishing attacks. This strategic focus is enabling threat actors to maximize efficiency by reducing the research and customization required for individual campaigns.
Fetch API emerges as preferred data exfiltration method
One-third of phishing attacks leveraged Fetch API, a sophisticated JavaScript interface for network requests, to exfiltrate stolen credentials. By comparison, fewer than 10% of attacks used POST requests – the traditional HTTP method for transmitting data to servers. This trend suggests attackers are adopting more advanced techniques that may evade conventional security detection mechanisms designed to monitor standard POST-based data transfers.
Apple TestFlight exploits to distribute malicious iOS apps
Sophisticated threat actors abused Apple’s TestFlight platform to deliver malware-laden iOS applications to targeted victims. Exploiting TestFlight’s legitimate beta testing framework allowed attackers to distribute pre-release test software via invite or public links, bypassing Apple’s standard App Store review processes and security controls, to deliver malicious payloads directly to users’ devices.
Geographic distribution is helping malware evade blocklists
Over 60% of spam emails originated from the United States, 9% from Hong Kong, showing a 5% growth in Q1 2025 and 8% in Q2 2025; 6% from Great Britain; and 25% collectively from other developed countries. This geographic dispersion across spam-sending markets makes IP-based geographic blocking impractical and inadvisable – a vulnerability that attackers deliberately exploit.
Attackers used a variety of creative techniques to evade detection and maximize spam delivery.
Most notably, compromised accounts (33%) demonstrate that attackers exploited trusted domains to bypass reputation checks and filters despite email authentication (SPF/DKIM) anomalies. 32% of campaigns exploited free popular services, such as Gmail, Yahoo, and Outlook, alongside lesser-known free relays including GMX, ProtonMail, Zoho, and Yandex.
Misusing the strong IP reputations of bulk mailing services like SendGrid, Mailgun, and Amazon SES, attackers weaponised them either through fake sign-ups or compromised customer accounts.
Usman Choudhary
“Today’s cybersecurity threats are succeeding through creative, pinpointed, and strategic sophistication,” Usman Choudhary, General Manager, VIPRE Security Group, says. “They’re manipulating trusted platforms, layering evasion tactics into seamless attack chains, and using commercial spam as cover for their operations. To counter this, organizations need to deploy equally adaptive and layered defenses. The question isn’t whether defenses work today, but rather will they adapt fast enough for tomorrow?”
To read the full report, click here: Email Threat Trends Report: Q3 2025
VIPRE leverages its vast understanding of email security to equip businesses with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock assessment of the cybersecurity landscape.
Email continues to be the lifeblood of communication in healthcare. From coordinating care among clinical teams to sharing lab results and scheduling appointments, email is a fast, familiar, and fully integrated part of nearly every workflow. Yet, the very convenience that makes it indispensable also makes it one of the riskiest points of exposure for patient information and organizational security.
In healthcare, the impact of an email breach goes beyond just financial loss. A misaddressed email, an incorrect attachment, or a single successful phishing attempt can compromise sensitive information, including diagnoses, lab results, and personal identifiers. These details are extremely valuable to cybercriminals, posing risks such as identity theft, fraudulent insurance claims, and tampered medical records that can directly impact patient safety and well-being.
The Shift from Technical Exploits to Human-Centric Attacks
Cybercriminals are increasingly shifting away from complex technical exploits and instead using personalized deception tactics. Recent research indicates that over half (58%) of phishing websites now utilize unidentifiable phishing kits, such as Evilginx, Tycoon 2FA, and 16shop, that are difficult to detect and are increasingly powered by AI. These kits enable cybercriminals to create highly personalized attacks that exploit both technology and human behavior, allowing them to bypass traditional security measures.
Business Email Compromise (BEC) remains a significant threat, with 82% of attacks involving impersonation of CEOs or senior leaders. This tactic is used to pressure employees into transferring funds or revealing sensitive information. Additionally, the targeting of specific regions is changing, with Danish, Swedish, and Norwegian executives increasingly vulnerable, alongside traditional English-speaking targets.
Malware: A Persistent Threat
Malware continues to heighten risks, with Lumma Stealer identified as the leading malware strain. It spreads through attachments or links from compromised cloud services. The malware-as-a-service model is particularly appealing, as it offers cost-effective access and support for both inexperienced and experienced attackers. This approach lowers the barrier to entry while maintaining high effectiveness.
Phishing lures are carefully designed to exploit human behavior. Financial incentives, urgency appeals, and account updates are the primary components of most malicious messages. Open redirects and compromised websites conceal the ultimate destination, making links appear legitimate, while PDFs, often embedded with QR codes, remain the most common vector for attachments.
These attacks are not random but carefully orchestrated to harvest sensitive data — at scale.
Human Error: The Weakest Link
Despite the sophistication of various cyber threats, human error remains the weakest link in cybersecurity. Healthcare professionals operate in high-pressure environments, balancing the demands of patient care with administrative tasks. In these situations, it’s easy to mistakenly send an email to the wrong recipient, mislabel an attachment, or click on a link that seems legitimate.
Additionally, healthcare organizations often rely on external partners for scheduling, billing, and communications, which involve handling protected health information (PHI). If a vendor is compromised, the covered entity remains responsible for the breach and its consequences.
This interconnectedness underscores why email security should not be viewed solely as an IT issue; it is a top organizational priority.
Beyond Perimeter Defenses: A Human-Centric Approach
Mitigating email risk requires more than just perimeter defenses. While encryption, multi-factor authentication, and phishing filters are essential, they are not enough on their own. These tools need to be complemented by user-focused safeguards that provide staff with real-time assistance. Practical measures include recipient confirmation prompts, content alerts when potentially harmful information is detected, and in-the-moment security reminders. These mechanisms serve as checkpoints, helping to prevent mistakes before they happen.
Training is also crucial, but it needs to be ongoing and integrated into daily workflows, rather than being limited to annual modules. Short, bite-sized lessons, simulated phishing exercises, and reminders that are embedded in workflows help reinforce awareness, ensuring that staff keep security in mind even under pressure. When security awareness is woven into daily operations, it becomes second nature for everyone involved.
The Role of Technology in Enhancing Email Security
While human-centric approaches are essential, technology also plays a crucial role in enhancing email security. Advanced email security solutions can detect and block malicious attachments, links, and impersonation attempts before they reach users’ inboxes. Machine learning algorithms can analyze email patterns and behaviors to identify anomalies indicative of phishing or business email compromise (BEC) attacks.
Furthermore, integrating email security with other systems, such as endpoint protection and identity management, creates a layered defense that can respond more effectively to threats. This holistic approach ensures that even if one layer is bypassed, others remain in place to protect sensitive information.
Legal and Regulatory Implications
The legal and regulatory landscape surrounding email security in healthcare is complex and continually evolving. Organizations must comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA), which mandates the protection of protected health information (PHI). A breach resulting from an email-related incident can lead to significant legal consequences, including hefty fines and damage to reputation.
Moreover, patients trust healthcare organizations to safeguard their personal information. Protecting email communications is not just a legal obligation but is necessary to maintain patient trust.
Practical Steps for Healthcare Organizations
Healthcare organizations can implement several practical steps to enhance email security:
Implement Advanced Email Security Solutions: Utilize email security tools that can detect and block malicious content, impersonation attempts, and phishing attacks.
Educate and Train Staff: Provide ongoing training for staff on recognizing phishing attempts, securely handling sensitive information, and following best practices for email communication.
Establish Clear Policies: Develop and enforce policies regarding the use of email for transmitting sensitive information, including guidelines for encryption and authentication.
Monitor and Respond to Threats: Continuously monitor email traffic for signs of suspicious activity and have a response plan in place for addressing potential incidents.
Collaborate with Third-Party Vendors: Ensure that third-party vendors handling PHI adhere to the same security standards and practices to mitigate the risk of breaches.
Conclusion
Ultimately, protecting email in healthcare is not merely a compliance requirement; it is a critical aspect of ensuring patient safety. It is central to preserving patient trust, safeguarding clinical integrity, and ensuring uninterrupted care delivery. Each secure message helps prevent identity theft, fraudulent claims, and mismanaged records, directly supporting our mission to put patients first.
As cyber threats evolve and human error remains persistent, healthcare organizations must adopt strategies that combine robust technology with human-centered approaches. By doing so, they can reduce both accidental and malicious breaches, protecting the information that matters most, the health and safety of patients.
Email remains a cornerstone communication tool for healthcare entities, yet the communication channel also presents formidable cybersecurity hurdles. The sensitive nature of patient data and the open nature of email renders it susceptible to data exposure and phishing attempts. Thus, as healthcare continues its technology maturation, the imperative to grasp the gravity of email security intensifies. Advanced email security solutions offer a potent means to tackle these challenges head-on.
Why does this matter now? Isn’t email dying? Not based on the numbers. For example:
In a review of just the fourth quarter of 2023, VIPRE reviewed roughly 7.2 billion emails worldwide that were processed through its systems. Of those, more than 950 million malicious or unwanted emails were detected (~13 percent) and blocked. Most of these were detected using classical signature-based detection of bulk email, known malware, and known malicious links, including 20 million emails with malicious attachments and 41 million emails with malicious links. But there were 500,000 malicious emails that were only detected because of advanced, behavioral simulation of a user actually clicking on the link, i.e. detecting true zero-hour malicious sites, which is a feature built into our VIPRE Email Link Isolation.
It was interesting to note a rise and fall in favored malicious email types each quarter and throughout the year. In 2023, we noticed the following trends:
276% increase in emails containing malware between Q1 and Q4
23% rise in scam emails between Q1 and Q4, with a 179% spike in Q2
6.4% decrease in phishing emails between Q1 and Q4
Regardless of the slight percentage decrease, phishing emails continue to be tied with scam emails in volume, making them a perennial favorite of hackers and a constant threat to inboxes. Healthcare is in the top three targeted industries, representing 14% of the attacks that we observed across all of our customers.
With this data as a reference point, it’s easy to see that healthcare is chronically at risk regarding its vulnerability to cyberattacks driven by phishing and malicious inclusions in email. While writing this piece, one of the nation’s largest healthcare clearinghouses, Change Healthcare, was affected by a massive ransomware attack.
Change Healthcare is a unit of UnitedHealth Group’s Optum subsidiary, and its products are used by a huge variety of healthcare organizations.According to HHS, Change Healthcare “was impacted by a cybersecurity incident in late February. HHS recognizes the impact this attack has had on healthcare operations across the country.” The Russian-speaking cybercriminal gang known as AlphV and Blackcat claimed responsibility and said on its darkweb site that it exfiltrated 6 TB of data in the attack against Change Healthcare.
This specific attack affected healthcare systems, prescription deliveries, and anyone who processes insurance claims. This should raise red flags for all healthcare organizations regardless of size, particularly for smaller organizations with limited budgets. After all, if companies as massive as Change Healthcare—who undoubtedly had advanced cybersecurity measures in place—can be breached, then smaller organizations with fewer resources should take action to protect themselves.
The attack underscores the critical importance of proactive measures to mitigate the risks of sophisticated cyber threats. Although the attack vector in the Change Healthcare breach has not been identified as of this writing, the same group was responsible for the massive MGM Resorts hack in September 2023, which started on LinkedIn with a social engineering-driven exploit. A form of phishing, this foothold was leveraged to gain access within MGM, and this access was then expanded to target many of MGM’s key business systems.
In the throes of an ever-intensifying cybersecurity crisis, the healthcare sector is under siege, grappling with the fallout from a wave of ransomware attacks. Among the prominent victims are Ardent Health Services and Norton Healthcare, two pillars of the industry facing sophisticated cyber threats. These incidents, and many others, coupled with a new study led by MIT professor Stuart Madnick, paint a bleak picture of the industry’s vulnerability to cyber adversaries.
Ardent Health Services, a health system overseeing 30 hospitals and more than 200 care sites across six states, was the victim of a significant ransomware attack in late November, necessitating the diversion of emergency room patients and rescheduling non-urgent procedures. The fallout has prompted Ardent to take its network offline, suspend user access to critical IT applications, and launch an effort with cybersecurity partners to restore normal operations rapidly.
Usman Choudhary, chief product and technology officer at VIPRE Security Group, said the pervasive greed among ransomware groups and calls for unity within the security community underscores the critical need for accessible and affordable cybersecurity solutions. Even advanced technical protections are futile if hindered by prohibitive costs or complexity, Choudhary said.
Norton Healthcare, another healthcare provider managing eight hospitals across Kentucky and Indiana, suffered a significant data breach impacting up to 2.5 million individuals throughout 2023. The breach took place between May 7 and 9, 2023, exposing personal and protected health information of patients and employees.
This incident at Norton Healthcare amplifies the broader concerns outlined in Stuart Madnick’s report, funded by Apple, showing that ransomware attacks during the first nine months of 2023 surpassed the total from all of 2022. Ransomware attacks impacted more than 360 million people through August of this year.
