Our latest Phishing Threat Trends Report explores the evolving phishing landscape in 2025, from renewed tactics to emerging attack techniques.
Ransomware may be an “old” threat, but new tactics are making people more susceptible than ever. In this edition, we break down a highly advanced attack detected by KnowBe4 Defend that bypassed native security and a secure email gateway (SEG)—and would have been nearly impossible to stop if launched. We also examine how cybercriminals are using AI for polymorphic phishing, infiltrating the hiring process, and evading traditional security defenses.
Unless otherwise cited, all statistics in the report have been generated using data from KnowBe4 Defend, our integrated cloud email security (ICES) solution that detects the full spectrum of advanced phishing attacks.
A Spike in Phishing
Between September 15, 2024 and February 14, 2025, there was a 17.3% increase in phishing emails compared to the previous six month period. 57.9% of these were sent from compromised accounts, and 11.4% of those from compromised accounts were sent from within the organization's supply chain. A quarter (25.9%) of the attacks contained an attachment, one-fifth (20%) relied solely on social engineering techniques and over half (54.9%) contained a phishing hyperlink payload.
AI-Polymorphic Phishing Campaigns
Polymorphic phishing attacks are being deployed at an unprecedented scale, making detection and remediation increasingly difficult. AI has enabled cybercriminals to execute these campaigns more efficiently, generating subtle variations that bypass traditional security measures like blocklists, secure email gateways (SEGs), and native security tools. In 2024, at least one polymorphic feature was present in 76.4% of all phishing attacks and in 57.49% of commodity attacks (white noise phishing).
Ransomware is Once Again on the Rise
Ransomware payloads in phishing attacks have surged, with a 22.6% increase from September 15, 2024, to February 15, 2025, compared to the previous six months. This trend is accelerating, with a 57.5% spike between November 1, 2024, and February 15, 2025, versus the prior three months. This report analyzes a sophisticated INC Ransom payload detected by KnowBe4 Defend, which employs advanced techniques, including sophisticated obfuscation to conceal the malicious payload, to make it virtually impossible to detect using anti-virus software and then stop it if it had been launched.
Cybercriminals are Hijacking the Hiring Process
KnowBe4's threat intelligence team examined over 500 hiring-based attacks, finding that engineering roles were disproportionately targeted, accounting for 64% of incidents, followed by finance (12%), HR (10%), IT (10%), product (2%) and other roles (4%). Cybercriminals focus on software engineers due to their high job mobility and privileged access to critical systems and data—often without in-person verification—making them prime targets for credential theft and network infiltration.
Bypassing Secure Email Gateways (SEGs)
As many organizations depend on SEG technology to filter out threats, cybercriminals continuously refine their tactics, investing time and resources into developing sophisticated attacks designed to evade detection and infiltrate corporate networks.
Between September 15, 2024 and February 14, 2025, three payload types experienced a significant increase in bypassing Microsoft and SEG detection compared to the previous six month period. These include phishing hyperlinks (36.8% increase), malware (20.0% increase) and social engineering only (14.2% increase). Three of the top seven legitimate domains we observed cybercriminals hijacking to bypass traditional technologies included google.com, sharepoint.com and dropbox.com. Finally, there was a 22.7% increase in the use of technical measures to obfuscate attacks and payloads such as image-based payloads, invisible characters and left-to-right override.
To find out more about the latest Phishing Threat Trends, read the full report here.
With KnowBe4 Defend you can:
