Phishing attacks are on the rise, with the latest KnowBe4 Phishing Threat Trends Report observing a 17.3% increase in phishing emails between September 15th, 2024, and February 14th, 2025, compared to the previous six months. Also increasing is the use of Polymorphic phishing, with polymorphic phishing features identified in 76.4% of all phishing campaigns they observed.
Not only are attacks increasing, but they are also getting more sophisticated; the report saw a 22.6 percent increase in ransomware payloads, with phishing hyperlinks, malware, and social engineering payloads all bypassing traditional detection methods a lot more frequently. This was identified as an accelerating trend, as within that sixth-month period, they observed a 57.5% increase over the previous three months from November 1st, 2024, to February 15th, 2025.
Changing the Bait: Polymorphic Phishing
Polymorphic phishing attacks involve a series of emails that aren’t uniform because they contain subtle changes. They begin by attempting to obtain user credentials and then utilize those credentials to target others. The report identified a 57.9% increase in attacks being sent from compromised accounts. This method makes it challenging for secure email gateways (SEGs) and other traditional defensive tools to identify and block these messages. The lack of uniformity complicates rule updates for security teams, as historically, strategies have been focused on identifying commonalities like payloads or sending domains.
The three most common changes to circumnavigate security were found to be replacing logos, changing the destination of a link, and altering the sender. Another popular method involves adding randomized characters and symbols to email subject lines. Doing so helps to disguise malicious emails behind the email preview cutoff and can avoid them being blocked by hash mapping, as organizations are reluctant to narrow their parameters too much so as not to damage operational efficiency.
Obfuscation Through Heavier Payloads
In their six-month report observation, KnowBe4 found that three payload types had experienced substantial increases in their ability to bypass Microsoft and SEG detection compared to the previous six months. These were a 36.8% increase in phishing hyperlinks, a 20% increase in malware, and a 14.2% increase in social engineering. Cybercriminals are benefitting from an emerging shadow economy that includes the ability to purchase phishing kits from crime-as-a-service (CaaS) platforms where vendors offer phishing “kits” for a subscription fee.
The report highlights HTML smuggling as the most popular current obfuscation technique for masking malicious payloads from file-scanning AV technologies. It points out that file sizes for both malware attachments (including ransomware) and malicious HTMLs have also increased year on year, and attribute this to “cybercriminals attempt to improve deliverability by maxing out email latency service-level agreements (SLAs) before an attack is detected.”
Breaking Down an Advanced Ransomware Payload
KnowBe4 deconstructed a complex INC Ransomware payload attached to a phishing email they had discovered in their research to illustrate some of the threats they were encountering. These included:
- JavaScript payload obfuscation: multiple layers that included a password-protected zip file and HTML smuggling to bypass signature-based detection.
- AI-generated obfuscation: randomly generated text to confuse security scanners.
- Malicious URL obfuscation: script reverse and Base64 encoding to avoid featuring on blocked lists.
Advocating for AI and Zero-Trust
Jack Chapman, SVP of Threat Intelligence at Know Be4, advocates for AI-powered detection underpinned by a zero-trust approach when it comes to modern security solutions. While stating that signature-based and reputation-based detection provide a solid foundation, he adds that “on its own, it’s no longer enough to hold back the tide of phishing attacks targeting organizations. Success in phishing equals a payday for cybercriminals — and these email security platforms are the first hurdle for cybercriminals to jump.”
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.