May 6, 2025
KnowBe4 recently released its 2025 Phishing Threat Trends Report. It’s 20 pages long, and it’s gated, so I’ve boiled down what you need to know in a shorter, more skimmable version. What KnowBe4’s team found is alarming, but you probably could have guessed that all on your own. More to the point, their findings reveal a significant increase in the sophistication and volume of phishing attacks.
Here’s a deeper dive into the data so you can use it to help protect your organization’s data and its people.
How This Year’s Report Should Inform Your Cybersecurity Training
As email and other security tools have gotten better at catching malware and phishing emails before they wriggle their way into your staff’s inbox, predictably, hackers have worked harder at trying to evade detection. Here’s what you should know:
1. AI Is Helping Hackers Morph Their Phishing Scams
Cybercriminals have dramatically escalated their use of artificial intelligence to create "polymorphic" phishing campaigns.
Polymorphic phishing refers to multiple variants of essentially the same phishing email. Because most cybersecurity tools look for patterns, small changes from email to email help hackers avoid detection.
Here are a few stats from KnowBe4’s report that drive the point home:
Here are some examples of what hackers are changing to avoid detection:
- Organization logos
- Destination links
- Sender email domains
- Randomized characters in subject lines (often hidden behind preview cutoffs)
- Invisible characters to "break" AI-based detection systems
Takeaway: KnowBe4 estimates that by 2027, the traditional method of grouping phishing emails so tools can detect them will become virtually impossible.
2. Ransomware Is Back in a Big Way
While we’re happy to report that fewer victims are paying the ransoms, KnowBe4 noted a few troubling trends.
Here’s what you should know:
Here’s why that last bullet has your friendly cybersecurity experts worried: Larger files take longer to scan, which gives an advantage to attackers. For example, if a security scan times out, the system might default to allowing it through. Security tools may also resort to scanning only portions of the large files and may miss malicious components. Finally, large files consume more system resources, which can make security scans less effective overall.
The report also detailed a single, highly sophisticated INC Ransom attack that employed multiple evasion techniques:
- Password-protected zip files to prevent scanning
- AI-generated text to confuse security systems
- Obfuscated URLs using script reverse and Base64 encoding
- URL fragments scattered throughout HTML to avoid detection
- Mechanisms to prevent users from stopping execution (disabling right-clicks, DevTools access, and using debugger detection)
All of these techniques working together helped the attack bypass both Microsoft 365’s native security as well as the organization's secure email gateway.
Takeaway: While fewer organizations are paying the ransom, sophisticated ransomware attacks that can bypass advanced security systems are getting easier to launch. So, unfortunately, it looks like ransomware will be with us for the foreseeable future.
3. Hackers Are Targeting Specific Roles and Departments
Cybercriminals are increasingly strategic about who they target within organizations.
Their favorite roles last year included:
- Engineering (64%)
- Finance (12%)
- HR (10%)
- IT (10%)
Software engineering positions, in particular, are of high interest to hackers because they move between companies frequently and get privileged access to systems and data.
The attack distribution methods are equally strategic:
The report also highlighted a concerning trend of cybercriminals applying for jobs to gain insider access. In fact, KnowBe4 revealed that it experienced an attempted infiltration by a fake employee who tried to install malware immediately upon receiving company equipment. “Kyle” had applied with a fake CV, an AI-manipulated headshot, and a fake Social Security number.
Cybercriminals are also exploiting the job application process, where downloading files has become common.
Takeaway: There is no longer any online task where you can go on autopilot. And the line between insider and outsider threats is becoming increasingly blurred.
4. Traditional Email Security Defenses Are Increasingly Ineffective
There's been a stark 47% increase in phishing emails evading detection by Microsoft's native security and secure email gateways (SEGs) in 2024.
Here are the numbers:
How are cybercriminals getting past the gates? They’re exploiting trusted domains and accounts or hijacking legitimate domains — frequently Google, SharePoint, Dropbox, YouTube, and DocuSign, as well as links to Google Slides and Kahoot quizzes. They’re also using multiple URL redirects, invisible characters, large HTML sizes, and image-based emails with no scannable text. There’s more, but you get the idea.
Takeaway: A link can appear completely innocuous and still be hiding a significant threat. So, every link in every email needs to be regarded with extreme suspicion.
5. New Employees Are Especially Vulnerable
In the past six months, the report shows a 17.3% increase in phishing emails, and new employees typically receive their first phishing attempt within 3 weeks of starting, before they may be familiar with what’s normal for your organization’s workflows.
The top three words used in phishing emails are especially telling — "Urgent," "Review," and "Sign."
Takeaway: Regular security awareness training is vital, but as part of the onboarding process, new employees should at least be provided with some idea of how your organization may be targeted and what types of emails or requests should be regarded with suspicion.
The Importance of Cybersecurity Training for Employees
At Marco, we're continuously enhancing our cybersecurity tools and solutions to address these sophisticated threats. Yes, email security tools are becoming less effective, but they still can help you cut down on the volume of malicious emails your staff receive.
Regular security awareness training for all employees — but especially those in engineering, finance, HR, and IT — has never been more important. Your training should also include simulated phishing exercises that reflect current attack techniques. When this type of training is thorough and engaging, it is remarkably effective. But the days of just providing a handout once a year and calling it good are over.
Don’t currently have an awareness training program in place? Take a look at what we offer!
