SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Shadowy figure at computer floating email icons warning scandinavian corporate
#
Malware
#
Phishing
#
Advanced Persistent Threat Protection

Phishing kits & AI drive surge in email attacks on firms

Tue, 5th Aug 2025
Author image
By Jed Nykolle Harme, Editor

VIPRE Security Group has released its Q2 2025 Email Threat Landscape Report, presenting findings based on its continuous monitoring and analysis of global cybersecurity trends.

Phishing kits dominate attacks

The report indicates that 58% of phishing sites now use unidentifiable phishing kits. These kits are increasingly customised or obfuscated, making them very difficult for defenders to detect or analyse, and often leveraging artificial intelligence to reduce costs. Notable kits cited include Evilginx (20%), Tycoon 2FA (10%), 16shop (7%), with a further 5% attributed to other generic offerings.

Such phishing kits are described as untraceable, with the report stating that they "can't easily be reverse-engineered, tracked, or caught." This trend underscores a shift toward more sophisticated and hard-to-combat forms of phishing campaigns.

Manufacturing sector remains primary target

For the sixth consecutive quarter, the manufacturing sector continues to be the most targeted industry for email-based cyberattacks, accounting for 26% of all reported incidents. These attacks include business email compromise (BEC), phishing, and malspam. The retail sector follows at 20%, with healthcare comprising 19% of recorded attacks for Q2 2025. VIPRE notes that this distribution aligns with trends identified over the previous year.

Scandinavia targeted by BEC schemes

The report reveals a marked increase in BEC attacks targeting Scandinavian executives. While English-speaking executives still represent the largest group targeted by BEC emails (42%), a substantial portion target Danish (38%), with Swedish and Norwegian executives representing a combined 19%.

Language and localisation in attack emails are on the rise. Danish is used in 11.9% of BEC scam attempts, Swedish in 3.8%, and Norwegian in 1.5%. The report attributes the targeting of native languages to the fact that many corporate communications, particularly in HR, finance, and executive functions, still take place in local tongues despite high English proficiency in the region.

Impersonation remains the main BEC tactic, with 82% of scams involving the impersonation of CEOs and executives. Directors and managers account for a further 9%, HR staff for 4%, IT staff for 3%, and school heads for 2%.

Lumma Stealer observed as top malware

Lumma Stealer has become the most observed malware family during Q2 2025, the report states. It is typically delivered via malicious .docx, .html, or .pdf attachments, or through phishing links hosted on services such as OneDrive and Google Drive. The malware's accessibility stems from its availability as "Malware-as-a-Service" (MaaS), benefiting from active development support and competitive pricing. This broadens its appeal to both experienced and novice cybercriminals.

Bait and persuasion techniques

Financial incentives were the most common lure in malicious emails, accounting for 35% of samples. Messages feigning urgency comprised the second most frequent tactic at 25%, followed by account verification and update requests (20%), travel-related themes (10%), package delivery notifications (5%), and legal or HR notices (5%).

Cybercriminals continued to use open redirect mechanisms for phishing, with 54% of attacks masking malicious destinations via links on marketing, tracking, or even security platforms. Compromised websites delivered 30% of phishing links, and URL shorteners were used in 7% of incidents.

PDFs remain the dominant file format for malicious attachments at 64%, with a rising proportion now containing embedded QR codes to facilitate attacks.

Exploitation mechanisms after delivery

In the final stage of attacks, cybercriminals rely on exploitation mechanisms such as HTTP POST to remote servers, accounting for 52% of observed cases, with email exfiltration reported in 30%.

"It's clear what the threat actors are doing – they are outsmarting humans through hyper-personalised phishing techniques using the full capability of AI and deploying at scale," Usman Choudhary, Chief Product and Technology Officer, VIPRE Security Group, says. "Organisations can no longer rely on standard cybersecurity processes, techniques, and technology. They need comprehensive and advanced email security solutions that can help them to deploy like-for-like defenses – at the very least – if not help them stay a step ahead of the tactics used by cybercriminals."

The report draws on intelligence gathered by VIPRE Antivirus Lab through continual analysis of email threats.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
UK unveils new Cyber Unit amid mixed funding concerns
Europe warned over AI security gap despite AI Act lead
Codific sets 2026 priorities for boards on cyber risk
Punkt unveils MC03 privacy-first smartphone with Proton
UK unveils GBP £210m plan to bolster cyber defences

Top stories

AI in 2026: fragile data, hybrid clouds & profit race
Hydrolix unveils Bot Insights to expose costly AI bots
AI to transform business risk, trust & compliance by 2026
Cybanetix boosts MDR growth with AI & rapid response
ScotlandIS seeks entries for 2026 digital tech awards