VIPRE Security Group, a leading provider of cybersecurity, privacy, and data protection solutions, recently unveiled its email threat landscape report for Q2 2025. Key findings include:
- 58 percent of phishing sites now use unidentifiable phishing kits. Cybercriminals are deploying unidentifiable phishing kits to propagate malicious campaigns at scale, indicating a trend towards custom-made or obfuscated deployments. These phishing kits can’t easily be reverse-engineered, tracked, or caught. AI makes them affordable, too. Among the most prevalent are Evilginx, Tycoon 2FA and 16shop.
- For the sixth quarter in a row, the Manufacturing sector remains the prime target for cybercriminals. In Q2 2025, manufacturers faced the highest volume of email-based attacks – 26 percent of all incidents – encompassing BEC, phishing, and malspam threats.
- English-speaking executives remain the most targeted for BEC emails (42 percent). Critical corporate communications – especially within HR, finance, and executive teams – often take place in native languages, making localized attacks more convincing.
- Impersonation is the most common technique used in BEC scams, with 82 percent of attempts targeting CEOs and executives.
- Lumma Stealer is the most encountered malware family found in the wild during Q2. Analysis shows that it is often delivered via malicious .docx, .html, or .pdf attachments, or through phishing links hosted on compromised or legitimate-looking cloud services such as OneDrive, and Google Drive. Lumma Stealer is sold as Malware-as-a-Service (MaaS), making it accessible to a broad range of cybercriminals. With active developer support and low cost, it is proving attractive to both novices and experienced cybercriminals.
- Financial lures, representing 35 percent of the samples, are emails regarding money, financial errors, fiduciary imperatives, and such were the number one ploy used by cybercriminals to get users to open malicious emails.
- Urgency-based messaging (25 percent) is the second most tried approach, followed by account verification and updates, travel-themed messages, package delivery, and legal or HR notices.
- For phishing delivery, the majority (54 percent) of cybercriminals leveraged open redirect mechanisms, with legitimate-looking links hosted on marketing services, email tracking systems, and even security platforms to mask the true malicious destination. Compromised websites (30 percent) are the next most prevalent link delivery method, followed by the use of URL shorteners.
- While PDFs (64 percent) remain the preferred vehicle for delivering malicious attachments, an increasing number now feature embedded QR codes designed to carry out attacks.
- Cybercriminals are finishing off their attacks with various exploitation mechanisms, the most observed being HTTP POST to remote server accounting (52 percent) and email exfiltration (30 percent).
Click here to to read the full report.
