July 2025 Trends Report on Phishing Emails

In July 2025, phishing emails accounted for 60% of malicious attachments, commonly using HTML/script attachments and hyperlinks in documents to collect credentials or redirect victims to fake sites; attacks also included exploit documents (CVE-2017-11882) delivering Lokibot and compressed PE files in ZIPs. Reported artifacts include specific MD5 hashes and Korean-language phishing samples, with C2 infrastructure used to exfiltrate credentials. #CVE-2017-11882 #Lokibot

Keypoints

Phishing comprised 60% of malicious email attachments in July 2025, often using HTML/scripts to mimic legitimate pages and harvest credentials.
Attackers embed hyperlinks in documents (e.g., PDFs) to redirect victims to credential-harvesting phishing websites (FakePage).
Exploit documents leveraging CVE-2017-11882 (EQNEDT32.EXE) were used to drop Lokibot malware when executed.
Increase observed in delivery of PE files (.exe) compressed inside ZIP archives distributed via phishing emails.
Report includes distribution trends over six months and attachment extension statistics to show evolving phishing techniques.
Samples include Korean-language phishing emails with identifiable titles and attachment filenames useful for detection.
Report provides C2 addresses, analysis details, and full phishing email bodies in the original ATIP report and notes.

MITRE Techniques

[T1204] User Execution – Phishing emails prompt users to open attachments or click links, leading to credential entry or malware execution (“users are then prompted to enter their account credentials…redirect the victims to fake websites”).
[T1566] Phishing – Threat actors sent emails with HTML/script attachments and hyperlinks to impersonate login and promotional pages to harvest credentials (“used scripts such as HTML to mimic the screen layout, logo, and font of login pages…insert hyperlinks into documents such as PDF files to redirect users to phishing websites”).
[T1203] Exploitation for Client Execution – Document files exploited CVE-2017-11882 in EQNEDT32.EXE to execute Lokibot (“the vulnerability of the equation editor (EQNEDT32.EXE) (CVE-2017-11882) is exploited to execute Lokibot malware”).
[T1041] Exfiltration Over C2 Channel – Harvested credentials and malware communications were sent to threat actor C2 servers (“credentials…are then sent to the threat actor’s C2 server”).
[T1560] Archive Collected Data / Compressed Files – PE files (.exe) were compressed in ZIP archives for distribution via phishing emails (“a PE file (.exe) is compressed in a ZIP file and distributed via phishing emails”).

Indicators of Compromise

[File Hash ] malicious attachment MD5s – 01f68e02af2a9314bf20a84f722cd993, 05a32454a16cfefa3f5e59130dd4f1ce (and 3 more hashes).
[Vulnerability ] exploited component – CVE-2017-11882 (EQNEDT32.EXE) used in exploit documents to drop Lokibot.
[Malware Name ] payload – Lokibot observed as post-exploitation payload delivered by exploit documents.
[Attachment Types ] delivery methods – HTML/script attachments, PDF with hyperlinks, DOC exploit files, and ZIP archives containing PE files.
[Language/Content ] sample context – Korean-language phishing emails with specific titles and attachment filenames used to lure targets.