Authors: Martin Kraemer, Security Awareness Advocate at KnowBe4 and James Dyer, Threat Intelligence Lead at KnowBe4
This Valentine’s Day, Cupid wasn’t the only one taking aim. Our Threat Research team noted a 34.8% increase on Valentine-related threat traffic in comparison to February of 2024.
Leveraging impersonation and social engineering techniques, attackers have used a seasonal event to exploit heightened emotions and a sense of urgency, effectively increasing the likelihood of success in their phishing campaigns.
Our team observed these attacks beginning on February 2nd this year, compared to January 29th last year, peaking on February 3rd. Interestingly, despite the later start in 2024, their volume as a percentage of mail flow is higher than in previous years.
Quick attack summary
All attacks in these campaigns were identified and neutralized by KnowBe4 Defend and analyzed by our Threat Research team.
Primarily link-based in nature, attackers are exploiting the cultural buzz that surrounds Valentine’s Day with phishing campaigns that leverage the seasonal event. In fact, our Threat Research team has noted that 8.45% of phishing emails made some form of reference to ‘valentines’ since February 2nd to 11th, 2025.
Many of these attacks impersonated well-known brands, using a single image in the email body that directs the recipient to a malicious site. Some also employed link obfuscation techniques to conceal the end destination. These two concepts are explained in further detail below.
Vector and type: Email phishing
Technique: Hyperlink obfuscation and brand impersonation
Targets: Global
Platform: Microsoft 365
Top 5 brands impersonated in Valentine’s-themed campaigns:
- Hilton (Luxury Hotel)
- Marriott Bonvoy (Luxury Hotel)
- Walmart (Commerce)
- Amazon (Commerce)
- 7-eleven (Commerce)
Breakdown of payloads present in the attacks:
- Links: 82.6%
- Attachments: 11.2%
- Social engineering: 4.8%
- Malware: 1.5%
Example 1 - A Typical Attack
In the attack analyzed below, the cybercriminal has sent a phishing email impersonating the large luxury hotel provider Marriott Bonvoy with a stylized template that mimics Marriott's branding to leverage consumer confidence in the brand’s reputation and lower recipient suspicion.
The attack directs the recipient to click on a link that will supposedly reveal their ‘exclusive’ deal, ‘just in time’ for Valentine’s Day. Here, the attacker is employing social engineering tactics that exploit the general excitement people feel about exclusivity and budget deals - especially for a luxury experience. They have also added a sense of urgency by implying the recipient must act quickly to secure the deal.
The email’s body consists of a single embedded image rather than separate components like text and buttons typically found in standard emails. In other words, the entire email functions as a screenshot, designed to appear as a normal message.
This is an obfuscation technique designed to limit the detection efficacy of email security tools. Without text to scan, the traditional signature-based detection present in Microsoft’s native security and secure email gateways (SEGs) can’t identify hyperlinks to known phishing websites, while more advanced tools, such as natural language processing (NLP) and natural language understanding (NLU), can not detect the linguistic identifiers of social engineering, such as urgent or emotive language. This is likely why our Threat Research team saw the attacks bypass various configurations of Microsoft 365’s security tools.
Screenshot of a phishing attack impersonating Marriott Hotel with KnowBe4 Defend’s anti-phishing banners applied.
For tools like KnowBe4 Defend to identify such attacks, they must take a holistic approach to phishing detection, analyzing all indicators that can show malicious intent. Factors like subject line and sender analysis, as well as recognizing when the email is composed primarily of a single image enabled us to detect these phishing emails after they got through native and SEG security.
If the recipient hovers over the image, a preview of the destination hyperlink will appear. This link itself can be seen in the link-scanning screenshot below. The attacker has employed a technique called 'typosquatting' (a form of link obfuscation), where they modify a few characters in a registered ‘lookalike’ domain to make it visually similar to the legitimate domain.
In this case, the attacker slightly misspelled "Marriott" by removing a single 'r' and used a different top-level domain—replacing '.com' with '.us.' The attacker hopes that these subtle discrepancies will go unnoticed, leading the recipient to click the link without suspicion.
Screenshot of a partly redacted end destination link if a recipient were to click on it, processed through a link re-writer.
If a recipient does not have an anti-phishing tool to identify and block the link, clicking it would trigger a Captcha, as shown in the screenshot below. Normally used to verify that a user is human rather than an automated bot, Captchas in these types of attacks are employed to block certain forms of link scanning functionality, including end-destination scanning, preventing security tools from detecting malicious sites.
From there, the malicious site could be used to harvest the recipient's credentials, download malware onto their device, and potentially steal sensitive information or gain unauthorized access to personal or organizational accounts.
Screenshot of the captcha that appears if the malicious link was clicked
Example 2 - Combining Seasonal Events
Cybercriminals have taken it a step further over Super Bowl Weekend (February 9-8th), leveraging the excitement of a major cultural event alongside Valentine’s Day to create a double threat, targeting victims with highly relevant and timely scams.
In this example, the attackers have impersonated the NFL. However, the template is less sophisticated than the first, using a mix of images, links, and text within the body. The message urges the recipient to click a link to claim a free gift, once again employing social engineering tactics like time limits to create a sense of urgency.
Screenshot of a phishing attack that impersonates the NFL, with KnowBe4 anti-phishing banners applied.
Mitigating Advanced Threats with Human Risk Management
In 2024, we saw a 43% increase in attacks impersonating dating apps, highlighting that cybercriminals have recognized the effectiveness of exploiting this holiday season—tapping into heightened emotions and people's desire for a good deal.
These attacks are strategically timed to align with an increase in legitimate emails about holidays and key events, maximizing their chances of success. It’s no surprise, then, that we’ve seen a 34.81% increase in Valentine’s Day-themed scams this year. Cybercriminals only pursue attacks that deliver a return, and clearly, these tactics are paying off.
To effectively combat these threats, it's crucial to pair timely user education and coaching with intelligent anti-phishing solutions. While educating users on the dangers of phishing and how to spot suspicious messages is essential, advanced technological defenses, such as machine learning and AI-powered detection, play a critical role in identifying and neutralizing these threats. Together, these strategies form a comprehensive defense that can better protect individuals and organizations from sophisticated phishing attacks.
So this Valentine’s Day, love may have been in the air, but so were cyber threats. As we celebrated the season of love, we had to remember that cybercriminals were also targeting our hearts—and our personal data. While Valentine’s Day has passed, the need to stay alert and cautious when clicking on links or sharing sensitive information remains important all year round.
