VIPRE Security Group have released their Email Threat Landscape Report for Q2 2025. Through an examination of internal worldwide data, the report sounds the alarm on the most significant email security trends observed in the second quarter of 2025, enabling organisations to develop effective email security defences for the remainder of the year.
To read the full report, click here: Email Threat Trends Report: 2025: Q2. Insights found include:
- The Majority of Phishing Kits Are Now Untraceable
- 58% of phishing sites use “unidentifiable” kits, meaning cybercriminals are getting better at hiding their tools to avoid detection and takedown.
- AI Is Fuelling the Phishing Boom
- Artificial Intelligence is making sophisticated phishing kits more affordable and accessible, enabling attacks to scale rapidly and become hyper-personalised.
- Manufacturing Is Target #1
- Contrary to many expectations, manufacturing—not retail or healthcare—remains the top sector targeted by email attacks for the sixth straight quarter.
- Scandinavia Faces Increased BEC Attacks in Local Languages
- Cybercriminals have shifted to targeting Scandinavian executives, using Danish, Swedish, and Norwegian language emails for business email compromise scams.
- 38% of BEC attacks targeted Danish-speaking executives, and nearly 20% targeted Swedish or Norwegian speakers.
- Impersonation Attacks Focus on Executives
- A staggering 82% of BEC attacks impersonate CEOs and C-level executives, highlighting the value of executive access for cybercriminals.
- Lumma Stealer Dominates the Malware Landscape
- Lumma Stealer emerged as the most prevalent malware family, often delivered via phishing emails with attachments or cloud-hosted links (e.g., Google Drive, OneDrive).
- Financial Lures Are Cybercriminals’ Favourite
- 35% of phishing emails use financial-related topics as bait, making finance the most popular lure for attackers.
- PDF Attachments and QR Codes: A Dangerous Combo
- 64% of malicious attachments are PDFs, and an increasing share now include embedded QR codes to trick victims into furthering the attack.
- Open Redirects Are the Top Phishing Delivery Mechanism
- Just over half (54%) of all phishing attempts use open redirects and legitimate-looking services to hide malicious URLs.
- Email Exfiltration and HTTP POST Are Popular for Stealing Data
- Attackers’ favourite attack “endgames” are to exfiltrate data via HTTP POST (52%) or directly through email exfiltration (30%).
Unidentifiable phishing kit deployments
A striking 58% of phishing sites now use unidentifiable phishing kits. Cybercriminals are deploying unidentifiable phishing kits to propagate malicious campaigns at scale, indicating a trend towards custom-made or obfuscated deployments. These phishing kits cannot be easily reverse-engineered, tracked, or caught. AI makes them affordable, too. Among the most prevalent are Evilginx (20%), Tycoon 2FA (10%), 16shop (7%), with another 5% attributed to other generic kits.
Manufacturing, not Retail, is the top target sector
For the sixth quarter in a row, the Manufacturing sector remains the prime target for cybercriminals. In Q2 2025, manufacturers faced the highest volume of email-based attacks – 26% of all incidents – encompassing BEC, phishing, and malspam threats. Retail follows, accounting for 20% of attacks, with Healthcare close behind at 19%, reflecting a consistent trend observed since last year and through Q1 2025.
BEC targets Scandinavia
Scandinavian countries, known for their sophisticated economies and digital infrastructures, have become prime targets for business email compromise (BEC) attacks. Cybercriminals are increasingly focusing on executives in this region, leveraging language and localisation for greater effectiveness. While English-speaking executives remain the most targeted for BEC emails (42%), a significant portion are Danish (38%), with the Swedish and Norwegian comprising a combined 19%.
The strategic use of Danish (11.9%), Swedish (3.8%), and Norwegian (1.5%) languages in BEC scams highlights a growing trend toward regional targeting. Although English proficiency is high in Scandinavia, critical corporate communications – especially within HR, finance, and executive teams – often take place in native languages, making localised attacks more convincing.
Impersonation is the most common technique used in BEC scams, with 82% of attempts targeting CEOs and executives. The remaining impersonation efforts are aimed at directors and managers (9%), HR personnel (4%), IT staff (3%), and school heads (2%).
Lumma Stealer, the malware family of the quarter
Lumma Stealer is the most encountered malware family found in the wild during Q2. Analysis shows that it is often delivered via malicious .docx, .html, or .pdf attachments, or through phishing links hosted on compromised or legitimate-looking cloud services such as OneDrive, and Google Drive.
Lumma Stealer is sold as Malware-as-a-Service (MaaS), making it accessible to a broad range of cybercriminals. With active developer support and low cost, it is proving attractive to both novices and experienced cybercriminals.
Top bait, hook, and reel-in tactics
Financial lures representing 35% of the samples – emails regarding money, financial errors, fiduciary imperatives, and such – are the number one ploy used by cybercriminals to get users to open malicious emails. Urgency-based messaging (25%) is the second most tried approach, followed by account verification and updates (20%), travel-themed messages (10%), package delivery (5%), and legal or HR notices (5%).
For phishing delivery, the majority (54%) of cybercriminals leveraged open redirect mechanisms, with legitimate-looking links hosted on marketing services, email tracking systems, and even security platforms to mask the true malicious destination. Compromised websites (30%) are the next most prevalent link delivery method, followed by the use of URL shorteners (7%).
While PDFs (64%) remain the preferred vehicle for delivering malicious attachments, an increasing number now feature embedded QR codes designed to carry out attacks.
Finally, cybercriminals are finishing off their attacks with various exploitation mechanisms, the most observed being HTTP POST to remote server accounting (52%) and email exfiltration (30%).
“It’s clear what the threat actors are doing – they are outsmarting humans through hyper-personalised phishing techniques using the full capability of AI and deploying at scale,” Usman Choudhary, Chief Product and Technology Officer, VIPRE Security Group, says. “Organisations can no longer rely on standard cybersecurity processes, techniques, and technology. They need comprehensive and advanced email security solutions that can help them to deploy like-for-like defenses – at the very least – if not help them stay a step ahead of the tactics used by cybercriminals.”
