Email-based threats have reached a critical inflection point in the third quarter of 2025.
Threat actors are systematically exploiting weaknesses in traditional email security defenses by targeting the world’s two largest email ecosystems: Microsoft Outlook and Google Gmail.
The Q3 Email Threat Trends Report reveals that over 90 percent of phishing attacks now concentrate on these two platforms, signaling a deliberate shift in attacker strategy toward high-value targets.
The scale of this campaign is staggering. VIPRE security researchers analyzed 1.8 billion emails across the quarter and identified 26 million more malicious messages compared to the same period last year—a 13 percent year-over-year increase.
What’s particularly alarming is that attackers are no longer relying on sophisticated malware alone. Instead, they are weaponizing simplicity itself, leveraging everyday methods in extraordinarily clever ways to slip past conventional security layers.
The attack landscape has fundamentally shifted. Malicious emails are now evenly split between content-based threats and link-based attacks, each accounting for approximately 48 to 52 percent of detected threats.
More concerning is that 148,000 previously unknown malicious attachments bypassed traditional filters during the quarter, caught only through advanced sandboxing techniques.
Additionally, VIPRE detected over 67,000 malicious links that had never been encountered before, underscoring the continuous evolution of threat delivery mechanisms.
Vipre security analysts identified a sophisticated evasion pattern emerging across these campaigns.
Threat actors are using compromised legitimate URLs and open redirect techniques to mask their malicious landing pages.
Approximately 79.4 percent of phishing URLs exploit compromised websites rather than newly registered domains, allowing attackers to inherit the reputation scores of legitimate enterprises.
When a user clicks what appears to be a trusted link originating from a known organization, they are silently redirected to a credential harvesting page.
This technique defeats email security tools that scan only the top-level URL without analyzing full request chains.
The targeting of Outlook and Google represents a calculated business decision by attackers. Both platforms host massive enterprise and personal user bases, making them high-probability targets for credential theft and business email compromise attacks.
Infection mechanism
By focusing on these two ecosystems, threat actors eliminate the need for platform-specific customization while maximizing potential returns on their operational investment.
The infection mechanism employed in these campaigns typically begins with social engineering.
Phishing attachments predominantly consist of PDF files, which represent 75 percent of all malicious attachments.
These documents are universally trusted as legitimate business correspondence, providing the perfect trojan horse for initial compromise.
Upon opening, users encounter fake login screens or requests for credential verification, often disguised as urgent security alerts or account verification requirements specific to their email provider.
Persistence tactics have evolved beyond traditional malware installation. Instead of establishing persistence through system-level modifications, attackers now focus on account takeover through credential harvesting.
Once email credentials are compromised, attackers gain persistent access to both the inbox and connected cloud services, enabling lateral movement through organizational networks.
Detection evasion remains central to these attacks. By splitting multi-step redirect chains across parent URLs and landing pages, attackers ensure that security scanners analyzing individual components miss the complete attack chain.
When combined with the 60 percent surge in commercial spam creating background noise, the distinction between legitimate and malicious messages becomes increasingly difficult for both automated systems and human operators to identify.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
