Threats improve to slip past firewalls and filters
The latest Cyber Threat Intelligence Report from Hoxhunt looks at the quantity and quality of threats that bypass firewalls and email filters.
It finds attackers are improving their techniques to create more credible threats which are more likely to slip past defenses. Phishing techniques are improving with cleaner language, more convincing formatting and more believable workflow mimicry.
At the same time phishing has begun to leave email environments and move into social platforms, recruitment channels and other communication layers that shape professional identity. Social-media links in malicious emails increased by 600 percent since 2023, driven largely by compromised business email signatures that contain social media profiles.
“It is essential to measure the threats that make it through defenses because that is the point where real exposure begins, and those are the threats we must prioritize as we continuously adapt our defenses," Mika Aalto, co-founder and CEO of Hoxhunt, says. "This year, the data showed that our risk was shaped far more by refined versions of classic phishing than by polished AI deepfakes.”
Also the report shows adversary-in-the-middle (AitM) kits have become easier to deploy and are far more dangerous than traditional phishing kits. AitM attacks can circumvent even strong MFA.
Attackers are increasingly exploiting trusted services to deliver their attacks. Abuse of Salesforce’s mailing service increased threefold in six months, rising from 0.6 percent of malicious emails in January to 1.8 percent in June 2025. In Google environments gmail.com accounted for 30 percent of malicious sender domains, almost twice outlook.com at 18 percent. In Microsoft environments, gmail.com accounted for six percent of malicious sender domains, triple outlook.com at two percent.
PDF files remain the top malicious attachment type at 23.7 percent, followed by HTML at 5.6 percent, SVG at 5.0 percent, Word documents at 4.4 percent, and EML files at 1.4 percent. However, malicious HTML attachments have dropped nearly half, declining from 10 percent of attachment-based attacks in 2024 to 5.6 percent in 2025. Malicious QR codes have also fallen from more than 20 percent of threats during their 2023 peak to less than two percent in the first half of 2025.
Looking at regional variations voicemail-themed phishing is significantly more common in the US than in Europe or Asia-Pacific, likely due to broader adoption of voicemail-to-email and VoIP systems in hybrid work environments. In Asia ‘business opportunity’ lures are more common, while in Europe threat actors more frequently seek to exploit trust in traditional financial institutions.
Pyry Åvist, co-founder and CTO of Hoxhunt, says, “Attackers may use advanced deepfake tools, but our core psychology is the same as it was twenty thousand years ago when survival depended on noticing what felt out of place in jungles and riverbanks. When employees develop that same instinct in digital environments, they can keep themselves and those around them safe from even highly polished deepfakes because something in the interaction will be out-of-context and it will feel off.”
The full report is available from the Hoxhunt site.
Image credit: denisismagilov/depositphotos.com
