Email threats remain a favorite weapon in the cybercriminal’s arsenal, constantly evolving in sophistication and strategy. In Q1 2025, malicious actors introduced some unexpected twists to their playbook, demonstrating their relentless drive to outmaneuver security defenses.
The latest VIPRE Q1 2025 Email Threat Trends Report revealed several standout key trends: the rise of SVG-based phishing, the re-emergence of callback scams, and a continued flood of spam that shows no signs of abating.
Here’s a breakdown of what defenders should be paying close attention to—and what these shifts might mean for the rest of the year.
SVG Files: The Sneaky New Phishing Tool
For years, HTML attachments dominated malicious email campaigns, and in Q1 2023, HTML made up 88% of malspam attachments. Now, that number has plummeted to just 12%. What’s replacing them? A surprising contender: SVG files.
Scalable Vector Graphics (SVGs) were long considered benign—just harmless images, right? But malefactors have figured out how to embed JavaScript inside these files. When an unsuspecting user opens an SVG in a browser, a malicious script redirects them to a phishing site. VIPRE’s researchers saw a 34% share of malspam attachments using SVGs, hot on the heels of PDFs (36%) and far ahead of ZIPs (15%) and HTML.
This trend reflects a broader pattern: attackers are moving away from formats that are now commonly flagged by security tools and leaning into file types that seem innocuous—or at least haven’t historically been used maliciously.
Callback Phishing: A Human-Centric Threat on the Rise
One of the most startling developments in the Q1 report is the sharp rise in callback phishing—also known as BazarCall or TOAD (Telephone-Oriented Attack Delivery). In these instances, the bad actor sends an email that claims there’s a problem (like a suspicious transaction), then urges the recipient to call a number for support.
This tactic flips the script. Instead of initiating contact, fraudsters manipulate the victim into making the first move, which helps them evade detection by tools that scan outbound messages or links.
While callback phishing has been around for a few years, the report noted that it now accounts for 16% of all phishing attempts—a relatively meteoric rise, considering it wasn’t even measured in their reports last year. And it’s working. Social engineering is more convincing over the phone, especially when urgency and authority are in play.
A Spam Tsunami: 92% of Emails Are Garbage
Of the 1.45 billion emails processed by VIPRE in Q1, a staggering 92% were classified as spam. That alone would be troubling, but it gets worse: more than two-thirds (67%) of those spam emails were actively malicious—containing phishing, malware, or scam content.
January was particularly busy, possibly due to employees returning from holiday breaks or cybercriminals sticking to some very dark New Year’s resolutions. The U.S. was both the largest source (57%) and recipient (75%) of these malicious messages, with the UK, Ireland, and Canada also heavily targeted.
The volume alone is overwhelming, but it also signals a bigger problem: traditional spam filters, while still useful, are under siege from increasingly creative attacks hiding in plain sight.
The Manufacturing Sector: Still Public Enemy Number One
Cybercriminals have favorites, and right now, it’s clear that manufacturing is still a top target. Once absent from the top three, manufacturing now leads the pack for the third straight quarter, receiving 36% of targeted email threats.
Why the persistent focus? Many manufacturing firms are in the middle of digital transformations—adopting cloud, IoT, AI, and other connected technologies that open new security gaps. Yet, cultural and operational inertia often means security practices lag behind. Attackers know this and exploit it.
Retail and financial services followed, each absorbing 15% of attacks, but the gap is clear: industrial organizations are under siege.
BEC and Brand Spoofing: The Classics Still Work
While novel tactics like SVG phishing are on the rise, malefactors have not abandoned what works. Business Email Compromise (BEC) scams made up 37% of email-based scams in Q1. And, as always, pretending to be the boss is still the go-to move: 73% of BEC impersonations targeted C-suite executives.
Spoofing well-known brands also continues to be a favorite technique. Microsoft retained its top spot as the most impersonated brand, but Google was back in second place, followed by PayPal. The shift toward spoofing more universally recognized platforms—rather than more niche services like DocuSign or eFax—suggests that attackers are going after a wider pool of potential victims, including less security-savvy users.
The Fall of Links and the Rise of Attachments
It is also worth noting the evolving ratio between attachments and links in phishing campaigns. In Q1 2024, 75% of phishing attacks used links, and just 24% relied on attachments. This quarter, attachments have doubled, and links have dropped to 42%, with callback phishing now taking a 16% share.
This pivot could be due to improved detection of malicious URLs by email security solutions. In contrast, attachments—especially newer file types like SVG—may have better success slipping through filters.
Awareness to Readiness
The email threat landscape is shifting—yet again. From the rise of SVG-based exploits to the psychological manipulation of callback phishing, attackers are adapting faster than many defenses can keep up. With a burgeoning volume of emails now consisting of spam, defenders are left trying to find needles in ever-larger haystacks.
While the Q1 2025 data may seem bleak, it also provides valuable direction. Understanding these trends isn’t just about awareness—it’s about readiness.
The full VIPRE Email Threat Trends Report offers a deep dive into these threats, backed by real-world data and insights. For security leaders looking to stay ahead of the curve, it’s essential reading. You can access the report here.
With over 7 years of experience in the cybersecurity industry, Farrel is a seasoned malware researcher at VIPRE Security Group specializing in malware reverse engineering, cyber threat intelligence, and in-depth malware analysis. He has contributed to research on a wide range of malware affecting Windows and macOS platforms also for email threats, with his work prominently featured at his current company. Farrel is particularly passionate about tackling complex cyber threats that target multiple layers of an organization's infrastructure, uncovering intricate attack vectors, and providing actionable insights to defend against them.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.