Hoxhunt Cyber Threat Intelligence Report 2025

Keypoints

• Typical report structure: Executive Summary & Introduction — high-level findings, three headline developments, and strategic framing of risk and behavior changes.
• Typical report structure: Threat Landscape Overview — enumeration of top attack vectors, entities impersonated, emotions exploited, and notable campaign themes.
• Typical report structure: Human Risk Findings — analysis of user-facing phishing content, attachment and link typologies, and the role of generative AI in message quality and visual templates.
• Typical report structure: Campaigns, Tooling and Environments Research — comparative environment telemetry (e.g., Google vs Microsoft), killchain examples, and evolution of phishing kits and deployments.
• Typical report structure: Strategic Guidance — prioritized actions for practitioners, CISOs, and SOC/IT including controls, detection, incident response, and cultural change recommendations.
• Key statistics: PDF attachments accounted for 23.7% of attachment-based phishing in H1 2025, remaining the most common attachment type.
• Key statistics: Emails reported by Google users confirmed malicious at 34.7% versus 12.1% for Microsoft in the H1 2025 dataset; gmail.com showed up frequently as a sender domain.
• Key statistics: SVG-based attachments grew about 50× year-over-year and rose from negligible to roughly ~5% share of attachment-based phishing, making them a notable emerging vector.
• Notable trend: Phishing kits standardized AitM techniques that capture session tokens in addition to passwords, enabling circumvention of some MFA flows and emphasizing token theft over simple credential theft.
• Notable trend: Attackers leverage AI selectively — mainly to improve language, formatting, and workflow mimicry — rather than relying solely on flashy deepfakes; familiarity and correct workflow cues increase success.
• Notable trend: Social engineering is expanding beyond email into social platforms, recruitment channels, and business platforms (Meta, Instagram, business account abuse), exploiting professional identity vectors.
• Significant finding: gmail.com was the single most common sending domain observed in malicious reports; third-party services (Salesforce, Docusign) are frequently abused and require targeted mailflow scrutiny.
• Attack technique: Redirect chains via trusted domains (t.co, google.com/url) and popular sharing services (Dropbox) are used to mask malicious destinations; defenders must resolve and evaluate final eTLD+1 at click-time.
• Attack technique: “Fake-thread” and message-id/References spoofing are used to make messages appear internal; detectors should flag threads the tenant hasn’t seen or internal-looking messages from external MessageID domains.
• Behavioral finding: More polished visuals and flawless language—often AI-assisted—should be treated as suspicious signals rather than proof of authenticity; older, simpler templates sometimes appear more legitimate.
• Operational guidance: Emphasize token-centric incident response — revoke tokens first on suspicious post-login changes, then reset credentials; hunt for same-session IDs from different IPs and midsession UA pivots.
• Controls recommendation: Move admins and high-risk roles to phishing-resistant MFA (passkeys/FIDO2), bind tokens to devices, shorten session lifetimes, and enable automatic attack disruption and token revocation on detection.
• Controls recommendation: Consider blocking or quarantining image/svg+xml by default, inspect SVG DOM for scripting, xlink:href, and data: URIs, and provide an exception review path with sandboxing.
• Controls recommendation: Add mailflow analytics for commonly abused third-party domains (e.g., salesforce.com, docusign.net), favor per-business-unit allowlists, and apply extra scrutiny to no-reply sender patterns.
• Detection recommendation: Prefer detections that score interaction/proxy artifacts (proxy headers, session anomalies) over fragile DOM/image look-alike signatures to counter obfuscated modern kits (noVNC/browser-in-the-middle).
• Prevention recommendation: Publish and enforce trusted channels for signing, sharing, scheduling, and payments; route exceptions through verified portals and require two-person approvals for financial changes.
• Training recommendation: Shift awareness programs from “look for typos” to teaching Pause → Verify → Report, show side-by-side older vs newer templates, and include GenAI literacy and fake-thread examples.
• Measurement & metrics: Make dwell time and time-to-report KPIs, track report rate and reporting latency quarterly, and measure “routine skepticism” for internal-looking but third-party-delivered messages.
• Incident response playbook: Add hunts for mailbox rule creation or MFA changes shortly after login, automatically revoke tokens and sign out on suspicious activity, and favor token revocation as an immediate containment action.
• Recurring themes: Attackers favor stealth, automation, and workflow mimicry; campaigns escalate via “small ask → bigger ask” killchains and prioritize token-based compromise for scalable follow-on automation.
• High-impact takeaway: Defenses must assume session/token theft is the primary failure mode and adapt controls, detection, user training, and incident response accordingly to reduce post-login damage.