High

Analysis Summary

Email-based threats have reached a critical tipping point in Q3 2025, with attackers increasingly targeting the world’s largest email ecosystems: Microsoft Outlook and Google Gmail. Analysis of 1.8 billion emails by Security researchers revealed a 13% year-over-year increase in malicious messages, totaling 26 million more than the same period last year. Over 90% of phishing attacks are now concentrated on these two platforms, highlighting a deliberate shift in attacker strategy toward high-value targets.

Attackers are moving away from complex malware and instead weaponizing simplicity, leveraging common techniques in highly effective ways to evade conventional defenses. Malicious emails are now roughly evenly divided between content-based and link-based threats, each accounting for 48–52% of attacks. Notably, 148,000 previously unknown malicious attachments and over 67,000 new malicious links bypassed traditional filters, detected only through advanced sandboxing, demonstrating the evolving sophistication of threat delivery.

According to the Researcher, a key evasion tactic involves the use of compromised legitimate URLs and open redirects, with 79.4% of phishing URLs exploiting established websites rather than newly registered domains. This allows attackers to inherit the trust and reputation of legitimate organizations, leading users to credential harvesting pages without triggering conventional security tools that only scan top-level URLs. The focus on Outlook and Gmail is strategic, enabling attackers to target massive user bases while reducing the need for platform-specific customization.

The infection chain typically begins with social engineering, predominantly via PDF attachments that account for 75% of malicious files. These documents trick users into providing credentials through fake login prompts or urgent security alerts. Once credentials are harvested, attackers achieve persistent access to email accounts and connected cloud services, facilitating lateral movement within organizations. Multi-step redirect chains and a surge in commercial spam further complicate detection, making it increasingly difficult for both automated systems and human operators to distinguish malicious activity from legitimate communications.

Impact

• Security Bypass
• Gain Access

Remediation

• Implement advanced email security solutions that include sandboxing and full URL inspection to detect previously unknown malicious attachments and links.
• Enable multi-factor authentication (MFA) on all email accounts to prevent unauthorized access even if credentials are compromised.
• Educate employees on phishing awareness, emphasizing the risks of opening PDF attachments and clicking links in emails, even from trusted sources.
• Monitor for unusual login activity and configure alerts for suspicious access to email and connected cloud services.
• Regularly update and patch email clients and associated software to minimize exploitable vulnerabilities.
• Use domain-based message authentication protocols like DMARC, DKIM, and SPF to reduce the risk of email spoofing.
• Analyze full redirect chains in URLs rather than relying solely on top-level URL checks to detect masked malicious sites.
• Segment networks and limit lateral movement, so compromised accounts cannot easily access sensitive organizational resources.
• Continuously monitor spam trends and adjust filtering rules to reduce background noise that may obscure malicious emails.
• Conduct periodic phishing simulations and drills to test employee response and reinforce best practices.