Phishing continues to evolve at an alarming rate, with attacks increasing by 58% and projected financial losses reaching $3.5 billion. While familiar tactics still pose a threat, attackers are increasingly exploiting legitimate web services to mask their activity and slip past security safeguards. Organisations must stay ahead by understanding these evolving tactics and strengthening their defences. To equip you with the insights needed to stay ahead of these evolving threats, this blog explores the latest phishing trends and practical strategies to counter them.
The Evolution of Phishing in 2024
Gone are the days when phishing relied on obvious red flags such as typos and strange email addresses. In 2024, attackers have turned trusted business tools into Trojan horses, making malicious activity nearly indistinguishable from legitimate operations. By exploiting SaaS platforms, cloud storage, marketing automation, and even captcha services, cybercriminals seamlessly embed phishing campaigns within everyday workflows. Leveraging these widely trusted services allows them to slip past security filters undetected, transforming phishing from a crude deception into a sophisticated manipulation of the very infrastructure businesses rely on.
The real danger lies in how seamlessly these tactics intertwine. A phishing email may arrive from a reputable SaaS-based email service, directing recipients to a convincingly real-looking survey hosted on a legitimate customer feedback platform, while malware lurks behind a cloud storage link. By chaining multiple legitimate services into a single attack, phishing campaigns become harder to detect, not just for automated security tools, but for even the most vigilant users.
Phishing Trends to Watch in 2025
Phishing tactics continue to evolve, with attackers finding new ways to bypass security measures and exploit trusted services. As we progress through 2025, emerging trends point to even more sophisticated deception, making it vital for organisations to stay ahead. Let’s take a closer look at the key trends set to shape the phishing landscape in the year ahead.
QR Code Phishing
QR codes have become a trusted part of everyday interactions since the pandemic, making them a prime target for phishing attacks. By mid-September 2023, Microsoft analysts observed a sharp rise in QR code phishing, where attackers embedded malicious codes in emails to direct users to fake sign-in pages designed to steal credentials, often using adversary-in-the-middle (AiTM) techniques to bypass multi factor authentication.
While Microsoft Defender for Office 365 reduced QR code phishing by 94% between October 2023 and March 2024, attackers adapted by experimenting with colour variations, altered backgrounds, and embedding QR codes in attachments to evade detection. A surge in phishing campaigns targeting Microsoft Teams users in April and May 2024 further highlighted how QR codes remain a key tool for deception. In these attacks, hackers created fake Microsoft tenants and registered deceptive domains to impersonate Office and security services, tricking users into scanning QR codes that led to AiTM phishing sites.
Business Email Compromise (BEC)
Business Email Compromise (BEC) attacks remain one of the most effective phishing tactics, with attackers continuously refining their approach. Rather than relying on a single method, cybercriminals use a range of techniques. An overview of the key BEC methods and how they are evolving.
Inbox Rule Manipulation
A new variation of inbox rule manipulation has emerged as a favoured method among attackers, leveraging API and app-based tactics to evade detection. Instead of relying on traditional “New-InboxRule” or “Set-InboxRule” commands, they now use “UpdateInboxRules” to redirect emails containing sensitive keywords, such as those related to credentials or financial matters, to less monitored folders like Spam, Conversation History, or Deleted Items. By keeping fraudulent activity out of the main inbox, this tactic makes it harder for victims to notice compromised accounts or ongoing scams, allowing attackers to operate undetected for longer.
BEC Lateral Phishing
BEC lateral phishing takes compromise a step further by using a hijacked account to target others within the same organisation. Once inside, attackers send phishing emails from the compromised account, making their messages appear legitimate and increasing the chances of success. Their goal is to either gain access to higher-privilege accounts or trick employees into approving fraudulent transactions.
Conversation Hijacking
Conversation hijacking is a stealthy BEC tactic where attackers insert themselves into ongoing email threads to exploit trust. After compromising an account, they create a nearly identical email address with the same display name and continue the exchange unnoticed. Often used for financial fraud, this method makes phishing attempts appear more legitimate, increasing the likelihood of victims approving fake transactions or sharing sensitive information.
MFA Tampering Post AiTM Attack
MFA tampering after an AiTM attack allows attackers to secure long-term access to a compromised account. Once they gain control, they register a new device or phone number for multi-factor authentication, enabling them to bypass security prompts and approve future logins undetected. This method ensures persistent access, making it harder for organisations to fully lock out the attacker even after detecting suspicious activity.
Legitimate Applications Abuse
Attackers are increasingly abusing legitimate applications to facilitate mailbox exfiltration and BEC attacks. Tools like PerfectData Software, originally designed for mailbox backup, have been exploited to secretly extract emails from compromised accounts. Newsletter Software Supermailer, typically used for bulk email campaigns, has been leveraged for lateral phishing, allowing attackers to send personalised phishing emails from hijacked accounts. Meanwhile, eMClient, a desktop email client, has been used to exfiltrate entire mailboxes, providing adversaries with a wealth of sensitive information.
Low and Slow BEC
Low and slow BEC attacks focus on stealth, allowing attackers to remain undetected for extended periods. Instead of triggering alarms with large-scale data access, they quietly read just a few emails each day and occasionally browse OneDrive or SharePoint files. This gradual approach makes it harder for security systems to detect anomalies, as the activity appears minimal.
Targeted BEC
Personalised phishing campaigns have become increasingly sophisticated, using local languages and industry-specific topics to enhance credibility. Attackers tailor emails to IT, finance, and legal departments, often disguising them as urgent messages about software updates or tax submissions. By aligning their approach with familiar workflows and regional nuances, they significantly increase the likelihood of compromise.
Key Strategies for Building Phishing Resilience
Phishing attacks are getting more deceptive, with cybercriminals exploiting trusted tools, tailoring scams to specific targets, and finding new ways to bypass security. To stay ahead, organisations need a proactive approach that addresses these evolving tactics. Here are four key strategies to strengthen phishing resilience.
Verify Tools Before Trusting Them
Even if an application seems familiar, don’t assume it’s safe. Attackers are increasingly misusing legitimate tools for malicious purposes. Implement strict access controls, regularly review third-party integrations, and monitor software usage to prevent exploitation.
Enhance Security Awareness
Phishing campaigns are becoming more sophisticated, with attackers using local languages and personalised content to increase credibility. Enhance security awareness training, simulate real-world phishing scenarios, and educate employees on spotting tailored threats.
Mitigate QR Code Phishing Risks
With QR code phishing on the rise, organisations should deploy advanced detection tools to identify suspicious QR codes in emails and block malicious redirects.
Manage Shadow IT to Reduce Exposure
Unapproved hardware and software can create security gaps that attackers exploit for phishing and post-compromise activities. IT teams should conduct regular scans to detect unauthorised tools and provide secure alternatives to prevent risky workarounds.
How CWSI Can Help Defend Against Phishing Attacks
Phishing attacks are evolving, but with the right strategy, organisations can stay one step ahead of cyber adversaries. At CWSI, we’ve spent over a decade helping businesses across sectors strengthen their defences with tailored security solutions. From proactive threat monitoring to rapid incident response, we provide the expertise needed to detect and mitigate phishing attacks before they undermine organisational security.
Are you looking to bolster your defences against the next wave of phishing threats? Fill out the form below, and one of our experts be in touch to assess your organisation’s phishing resilience.
