VIPRE Security Group, a global leader and award-winning cybersecurity, privacy, and data protection company, has released its Q3 Email Threat Landscape Report.
Processing and analysing 1.8 million emails, this report highlights the most critical email security threat trends identified in Q3 2025, to help organizations strengthen their email defense strategies against the creative, sophisticated, and highly targeted tactics of threat actors, designed to circumvent traditional cybersecurity measures.
Commercial clutter, the perfect cover for cyberthreats
Legitimate but “spammy” commercial messages dominated this quarter at 60%, up 34% year-on-year. Phishing messages rose to 23% from 20%, while scams dropped to 10% from 34%. This flood of routine commercial clutter is designed to desensitize even the most security-conscious users, making malicious emails blend seamlessly into the noise. When inboxes overflow with legitimate-looking messages, users become less vigilant about what they click on.
Overall, more than a third of all spam emails are maliciously designed to cause harm, encompassing phishing attempts, scams, and malware.
Cold outreach marketing and shotgun list bombing dominate commercial spam
Within the 60% commercial spam category, cold outreach marketing emails dominated with 72% of the cases. List bombing claimed another 16%, a tactic where attackers maliciously subscribe victims to hundreds or thousands of mailing lists, newsletters, or promotional sign-ups simultaneously, flooding their inboxes with unwanted content. This overwhelming deluge frustrates users but serves as the perfect smokescreen for concealing genuine threats among the chaos.
Newly registered domains on the rise for phishing, but open redirects preferred
Threat actors increasingly registered large numbers of domains to launch temporary phishing sites, quickly deactivating them upon discovery to evade detection and blacklisting. This trend stresses that traditional blacklisting of email domains and signature-based detection measures alone are inadequate.
However, despite the success of newly registered domains, compromised URLs or open redirects remain attackers’ preferred phishing vector, employed in 80% of campaigns. Newly registered domains account for only the remaining 20%, but is a trend to watch.
Outlook and Google mailboxes top targets for credential harvesting
Attackers are concentrating their efforts on the world’s two largest business and personal email platforms, Outlook and Google, which today form 90% of observed phishing attacks. This strategic focus is enabling threat actors to maximize efficiency by reducing the research and customization required for individual campaigns.
Fetch API emerges as preferred data exfiltration method
One-third of phishing attacks leveraged Fetch API, a sophisticated JavaScript interface for network requests, to exfiltrate stolen credentials. By comparison, fewer than 10% of attacks used POST requests – the traditional HTTP method for transmitting data to servers. This trend suggests attackers are adopting more advanced techniques that may evade conventional security detection mechanisms designed to monitor standard POST-based data transfers.
Apple TestFlight exploits to distribute malicious iOS apps
Sophisticated threat actors abused Apple’s TestFlight platform to deliver malware-laden iOS applications to targeted victims. Exploiting TestFlight’s legitimate beta testing framework allowed attackers to distribute pre-release test software via invite or public links, bypassing Apple’s standard App Store review processes and security controls, to deliver malicious payloads directly to users’ devices.
Geographic distribution is helping malware evade blocklists
Over 60% of spam emails originated from the United States, 9% from Hong Kong, showing a 5% growth in Q1 2025 and 8% in Q2 2025; 6% from Great Britain; and 25% collectively from other developed countries. This geographic dispersion across spam-sending markets makes IP-based geographic blocking impractical and inadvisable – a vulnerability that attackers deliberately exploit.
Attackers used a variety of creative techniques to evade detection and maximize spam delivery.
Most notably, compromised accounts (33%) demonstrate that attackers exploited trusted domains to bypass reputation checks and filters despite email authentication (SPF/DKIM) anomalies. 32% of campaigns exploited free popular services, such as Gmail, Yahoo, and Outlook, alongside lesser-known free relays including GMX, ProtonMail, Zoho, and Yandex.
Misusing the strong IP reputations of bulk mailing services like SendGrid, Mailgun, and Amazon SES, attackers weaponised them either through fake sign-ups or compromised customer accounts.
Usman Choudhary
“Today’s cybersecurity threats are succeeding through creative, pinpointed, and strategic sophistication,” Usman Choudhary, General Manager, VIPRE Security Group, says. “They’re manipulating trusted platforms, layering evasion tactics into seamless attack chains, and using commercial spam as cover for their operations. To counter this, organizations need to deploy equally adaptive and layered defenses. The question isn’t whether defenses work today, but rather will they adapt fast enough for tomorrow?”
To read the full report, click here: Email Threat Trends Report: Q3 2025
VIPRE leverages its vast understanding of email security to equip businesses with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock assessment of the cybersecurity landscape.
Email continues to be the lifeblood of communication in healthcare. From coordinating care among clinical teams to sharing lab results and scheduling appointments, email is a fast, familiar, and fully integrated part of nearly every workflow. Yet, the very convenience that makes it indispensable also makes it one of the riskiest points of exposure for patient information and organizational security.
In healthcare, the impact of an email breach goes beyond just financial loss. A misaddressed email, an incorrect attachment, or a single successful phishing attempt can compromise sensitive information, including diagnoses, lab results, and personal identifiers. These details are extremely valuable to cybercriminals, posing risks such as identity theft, fraudulent insurance claims, and tampered medical records that can directly impact patient safety and well-being.
The Shift from Technical Exploits to Human-Centric Attacks
Cybercriminals are increasingly shifting away from complex technical exploits and instead using personalized deception tactics. Recent research indicates that over half (58%) of phishing websites now utilize unidentifiable phishing kits, such as Evilginx, Tycoon 2FA, and 16shop, that are difficult to detect and are increasingly powered by AI. These kits enable cybercriminals to create highly personalized attacks that exploit both technology and human behavior, allowing them to bypass traditional security measures.
Business Email Compromise (BEC) remains a significant threat, with 82% of attacks involving impersonation of CEOs or senior leaders. This tactic is used to pressure employees into transferring funds or revealing sensitive information. Additionally, the targeting of specific regions is changing, with Danish, Swedish, and Norwegian executives increasingly vulnerable, alongside traditional English-speaking targets.
Malware: A Persistent Threat
Malware continues to heighten risks, with Lumma Stealer identified as the leading malware strain. It spreads through attachments or links from compromised cloud services. The malware-as-a-service model is particularly appealing, as it offers cost-effective access and support for both inexperienced and experienced attackers. This approach lowers the barrier to entry while maintaining high effectiveness.
Phishing lures are carefully designed to exploit human behavior. Financial incentives, urgency appeals, and account updates are the primary components of most malicious messages. Open redirects and compromised websites conceal the ultimate destination, making links appear legitimate, while PDFs, often embedded with QR codes, remain the most common vector for attachments.
These attacks are not random but carefully orchestrated to harvest sensitive data — at scale.
Human Error: The Weakest Link
Despite the sophistication of various cyber threats, human error remains the weakest link in cybersecurity. Healthcare professionals operate in high-pressure environments, balancing the demands of patient care with administrative tasks. In these situations, it’s easy to mistakenly send an email to the wrong recipient, mislabel an attachment, or click on a link that seems legitimate.
Additionally, healthcare organizations often rely on external partners for scheduling, billing, and communications, which involve handling protected health information (PHI). If a vendor is compromised, the covered entity remains responsible for the breach and its consequences.
This interconnectedness underscores why email security should not be viewed solely as an IT issue; it is a top organizational priority.
Beyond Perimeter Defenses: A Human-Centric Approach
Mitigating email risk requires more than just perimeter defenses. While encryption, multi-factor authentication, and phishing filters are essential, they are not enough on their own. These tools need to be complemented by user-focused safeguards that provide staff with real-time assistance. Practical measures include recipient confirmation prompts, content alerts when potentially harmful information is detected, and in-the-moment security reminders. These mechanisms serve as checkpoints, helping to prevent mistakes before they happen.
Training is also crucial, but it needs to be ongoing and integrated into daily workflows, rather than being limited to annual modules. Short, bite-sized lessons, simulated phishing exercises, and reminders that are embedded in workflows help reinforce awareness, ensuring that staff keep security in mind even under pressure. When security awareness is woven into daily operations, it becomes second nature for everyone involved.
The Role of Technology in Enhancing Email Security
While human-centric approaches are essential, technology also plays a crucial role in enhancing email security. Advanced email security solutions can detect and block malicious attachments, links, and impersonation attempts before they reach users’ inboxes. Machine learning algorithms can analyze email patterns and behaviors to identify anomalies indicative of phishing or business email compromise (BEC) attacks.
Furthermore, integrating email security with other systems, such as endpoint protection and identity management, creates a layered defense that can respond more effectively to threats. This holistic approach ensures that even if one layer is bypassed, others remain in place to protect sensitive information.
Legal and Regulatory Implications
The legal and regulatory landscape surrounding email security in healthcare is complex and continually evolving. Organizations must comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA), which mandates the protection of protected health information (PHI). A breach resulting from an email-related incident can lead to significant legal consequences, including hefty fines and damage to reputation.
Moreover, patients trust healthcare organizations to safeguard their personal information. Protecting email communications is not just a legal obligation but is necessary to maintain patient trust.
Practical Steps for Healthcare Organizations
Healthcare organizations can implement several practical steps to enhance email security:
Implement Advanced Email Security Solutions: Utilize email security tools that can detect and block malicious content, impersonation attempts, and phishing attacks.
Educate and Train Staff: Provide ongoing training for staff on recognizing phishing attempts, securely handling sensitive information, and following best practices for email communication.
Establish Clear Policies: Develop and enforce policies regarding the use of email for transmitting sensitive information, including guidelines for encryption and authentication.
Monitor and Respond to Threats: Continuously monitor email traffic for signs of suspicious activity and have a response plan in place for addressing potential incidents.
Collaborate with Third-Party Vendors: Ensure that third-party vendors handling PHI adhere to the same security standards and practices to mitigate the risk of breaches.
Conclusion
Ultimately, protecting email in healthcare is not merely a compliance requirement; it is a critical aspect of ensuring patient safety. It is central to preserving patient trust, safeguarding clinical integrity, and ensuring uninterrupted care delivery. Each secure message helps prevent identity theft, fraudulent claims, and mismanaged records, directly supporting our mission to put patients first.
As cyber threats evolve and human error remains persistent, healthcare organizations must adopt strategies that combine robust technology with human-centered approaches. By doing so, they can reduce both accidental and malicious breaches, protecting the information that matters most, the health and safety of patients.
Inspired eLearning, powered by VIPRE, a global leader and award-winning cybersecurity, privacy, and data protection company, today announced the launch of its new Simulations Lab. This groundbreaking course is designed to equip learners with practical, hands-on experience to identify and react to the most prevalent email phishing, vishing, and SMiShing attacks.
In an era of escalating AI-powered threats, sophisticated social engineering attacks frequently bypass technical defenses. The Simulations Lab empowers an organization’s workforce to become a crucial line of defense, which can be the difference between a close call and a costly data breach.
The Simulations Lab Experience
The Simulations Lab offers organizations a powerful way to build a smarter, savvier security force. By fostering superior information retention through randomized practice and an active, engaging learning methodology, the platform ensures an investment that yields enduring benefits beyond typical Security Awareness Training programs alone. Simulating real workplace scenarios enhances a learner’s ability to apply security best practices effectively.
The platform’s research-driven, purpose-built content connects simulations to real-life scams, while gamified elements and continuous interactions keep learners engaged and motivated to improve. By equipping every employee with the mindset to evade today’s advanced adversaries, the Simulations Lab transforms a company’s workforce into a robust and essential layer of defense.
John Trest
“Technical defenses are essential, but the human element remains the most targeted and critical layer of security,” said John Trest, Chief Learning Officer and Strategic Product Manager, at Inspired eLearning. “With the Simulations Lab, we are giving organizations the tools to turn that potential vulnerability into a powerful strength. We are empowering employees to become the most effective protectors of their organization’s intellectual property, customer data, and sensitive health records.”
By actively fostering a cybersecurity-conscious culture, organizations can demonstrate their commitment to security and inspire their entire team to become a formidable defense against cyberattacks.
About Inspired eLearning
Inspired eLearning powered by VIPRE is a VIPRE Security Group brand and part of Ziff Davis Inc. As part of VIPRE Security Group, an award-winning global cybersecurity, privacy and data protection company, we are committed to delivering eLearning solutions of the absolute highest quality, ones which don’t simply check a box, but which drive positive and measurable changes in organizational culture as well.
We deliver solutions that help clients nurture and enhance workforce skills, protect themselves against cyberattacks and regulatory violations, and maximize the return on their investment in organizational training with our eLearning for employees.
VIPRE Security Group, a global leader and award-winning cybersecurity, privacy, and data protection company, has released its email threat landscape report for Q2 2025.
Through an examination of worldwide real-world data, this report sounds the alarm on the most significant email security trends observed in the second quarter of 2025, enabling organizations to develop effective email security defenses for the remainder of the year.
Unidentifiable phishing kit deployments
A striking 58% of phishing sites now use unidentifiable phishing kits. Cybercriminals are deploying unidentifiable phishing kits to propagate malicious campaigns at scale, indicating a trend towards custom-made or obfuscated deployments. These phishing kits can’t easily be reverse-engineered, tracked, or caught. AI makes them affordable, too. Among the most prevalent are Evilginx (20%), Tycoon 2FA (10%), 16shop (7%), with another 5% attributed to other generic kits.
Manufacturing is the top target sector
For the sixth quarter in a row, the manufacturing sector remains the prime target for cybercriminals. In Q2 2025, manufacturers faced the highest volume of email-based attacks – 26% of all incidents – encompassing BEC, phishing, and malspam threats. Retail follows, accounting for 20% of attacks.
Healthcare is close behind at 19%, reflecting a consistent trend observed since last year and through Q1 2025.
English-speaking executives remain the most targeted for BEC emails (42%), a significant portion are Danish (38%), with the Swedish and Norwegian comprising a combined 19%. Critical corporate communications – especially within HR, finance, and executive teams – often take place in native languages, making localized attacks more convincing.
Impersonation is the most common technique used in BEC scams, with 82% of attempts targeting CEOs and executives. The remaining impersonation efforts are aimed at directors and managers (9%), HR personnel (4%), IT staff (3%), and school heads (2%).
Lumma Stealer, the malware family of the quarter
Lumma Stealer is the most encountered malware family found in the wild during Q2. Analysis shows that it is often delivered via malicious .docx, .html, or .pdf attachments, or through phishing links hosted on compromised or legitimate-looking cloud services such as OneDrive, and Google Drive.
Lumma Stealer is sold as Malware-as-a-Service (MaaS), making it accessible to a broad range of cybercriminals. With active developer support and low cost, it is proving attractive to both novices and experienced cybercriminals.
Top bait, hook, and reel-in tactics
Financial lures representing 35% of the samples – emails regarding money, financial errors, fiduciary imperatives, and such – are the number one ploy used by cybercriminals to get users to open malicious emails. Urgency-based messaging (25%) is the second most tried approach, followed by account verification and updates (20%), travel-themed messages (10%), package delivery (5%), and legal or HR notices (5%).
For phishing delivery, the majority (54%) of cybercriminals leveraged open redirect mechanisms, with legitimate-looking links hosted on marketing services, email tracking systems, and even security platforms to mask the true malicious destination. Compromised websites (30%) are the next most prevalent link delivery method, followed by the use of URL shorteners (7%).
While PDFs (64%) remain the preferred vehicle for delivering malicious attachments, an increasing number now feature embedded QR codes designed to carry out attacks.
Finally, cybercriminals are finishing off their attacks with various exploitation mechanisms, the most observed being HTTP POST to remote server accounting (52%) and email exfiltration (30%).
“It’s clear what the threat actors are doing – they are outsmarting humans through hyper-personalized phishing techniques using the full capability of AI and deploying at scale,” Usman Choudhary, Chief Product and Technology Officer, VIPRE Security Group, says. “Organizations can no longer rely on standard cybersecurity processes, techniques, and technology. They need comprehensive and advanced email security solutions that can help them to deploy like-for-like defenses – at the very least – if not help them stay a step ahead of the tactics used by cybercriminals.”
VIPRE leverages its vast understanding of email security to equip businesses with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock assessment of the cybersecurity landscape.
Email remains a cornerstone communication tool for healthcare entities, yet the communication channel also presents formidable cybersecurity hurdles. The sensitive nature of patient data and the open nature of email renders it susceptible to data exposure and phishing attempts. Thus, as healthcare continues its technology maturation, the imperative to grasp the gravity of email security intensifies. Advanced email security solutions offer a potent means to tackle these challenges head-on.
Why does this matter now? Isn’t email dying? Not based on the numbers. For example:
In a review of just the fourth quarter of 2023, VIPRE reviewed roughly 7.2 billion emails worldwide that were processed through its systems. Of those, more than 950 million malicious or unwanted emails were detected (~13 percent) and blocked. Most of these were detected using classical signature-based detection of bulk email, known malware, and known malicious links, including 20 million emails with malicious attachments and 41 million emails with malicious links. But there were 500,000 malicious emails that were only detected because of advanced, behavioral simulation of a user actually clicking on the link, i.e. detecting true zero-hour malicious sites, which is a feature built into our VIPRE Email Link Isolation.
It was interesting to note a rise and fall in favored malicious email types each quarter and throughout the year. In 2023, we noticed the following trends:
276% increase in emails containing malware between Q1 and Q4
23% rise in scam emails between Q1 and Q4, with a 179% spike in Q2
6.4% decrease in phishing emails between Q1 and Q4
Regardless of the slight percentage decrease, phishing emails continue to be tied with scam emails in volume, making them a perennial favorite of hackers and a constant threat to inboxes. Healthcare is in the top three targeted industries, representing 14% of the attacks that we observed across all of our customers.
With this data as a reference point, it’s easy to see that healthcare is chronically at risk regarding its vulnerability to cyberattacks driven by phishing and malicious inclusions in email. While writing this piece, one of the nation’s largest healthcare clearinghouses, Change Healthcare, was affected by a massive ransomware attack.
Change Healthcare is a unit of UnitedHealth Group’s Optum subsidiary, and its products are used by a huge variety of healthcare organizations.According to HHS, Change Healthcare “was impacted by a cybersecurity incident in late February. HHS recognizes the impact this attack has had on healthcare operations across the country.” The Russian-speaking cybercriminal gang known as AlphV and Blackcat claimed responsibility and said on its darkweb site that it exfiltrated 6 TB of data in the attack against Change Healthcare.
This specific attack affected healthcare systems, prescription deliveries, and anyone who processes insurance claims. This should raise red flags for all healthcare organizations regardless of size, particularly for smaller organizations with limited budgets. After all, if companies as massive as Change Healthcare—who undoubtedly had advanced cybersecurity measures in place—can be breached, then smaller organizations with fewer resources should take action to protect themselves.
The attack underscores the critical importance of proactive measures to mitigate the risks of sophisticated cyber threats. Although the attack vector in the Change Healthcare breach has not been identified as of this writing, the same group was responsible for the massive MGM Resorts hack in September 2023, which started on LinkedIn with a social engineering-driven exploit. A form of phishing, this foothold was leveraged to gain access within MGM, and this access was then expanded to target many of MGM’s key business systems.
VIPRE Security Group