With traditional technical defenses strengthened, attackers are strategizing increasingly clever ways of using everyday methods to get around them
LONDON, Nov. 6, 2025 /PRNewswire/ -- VIPRE Security Group, a global leader and award-winning cybersecurity, privacy, and data protection company, has released its Q3 Email Threat Landscape Report. Processing and analysing 1.8 million emails, this report highlights the most critical email security threat trends identified in Q3 2025, to help organizations strengthen their email defense strategies against the creative, sophisticated, and highly targeted tactics of threat actors, designed to circumvent traditional cybersecurity measures.
Commercial clutter, the perfect cover for cyberthreats
Legitimate but "spammy" commercial messages dominated this quarter at 60%, up 34% year-on-year. Phishing messages rose to 23% from 20%, while scams dropped to 10% from 34%. This flood of routine commercial clutter is designed to desensitize even the most security-conscious users, making malicious emails blend seamlessly into the noise. When inboxes overflow with legitimate-looking messages, users become less vigilant about what they click on.
Overall, more than a third of all spam emails are maliciously designed to cause harm, encompassing phishing attempts, scams, and malware.
Cold outreach marketing and shotgun list bombing dominate commercial spam
Within the 60% commercial spam category, cold outreach marketing emails dominated with 72% of the cases. List bombing claimed another 16%, a tactic where attackers maliciously subscribe victims to hundreds or thousands of mailing lists, newsletters, or promotional sign-ups simultaneously, flooding their inboxes with unwanted content. This overwhelming deluge frustrates users but serves as the perfect smokescreen for concealing genuine threats among the chaos.
Newly registered domains on the rise for phishing, but open redirects preferred
Threat actors increasingly registered large numbers of domains to launch temporary phishing sites, quickly deactivating them upon discovery to evade detection and blacklisting. This trend stresses that traditional blacklisting of email domains and signature-based detection measures alone are inadequate.
However, despite the success of newly registered domains, compromised URLs or open redirects remain attackers' preferred phishing vector, employed in 80% of campaigns. Newly registered domains account for only the remaining 20%, but is a trend to watch.
Outlook and Google mailboxes top targets for credential harvesting
Attackers are concentrating their efforts on the world's two largest business and personal email platforms, Outlook and Google, which today form 90% of observed phishing attacks. This strategic focus is enabling threat actors to maximize efficiency by reducing the research and customization required for individual campaigns.
Fetch API emerges as preferred data exfiltration method
One-third of phishing attacks leveraged Fetch API, a sophisticated JavaScript interface for network requests, to exfiltrate stolen credentials. By comparison, fewer than 10% of attacks used POST requests - the traditional HTTP method for transmitting data to servers. This trend suggests attackers are adopting more advanced techniques that may evade conventional security detection mechanisms designed to monitor standard POST-based data transfers.
Apple TestFlight exploits to distribute malicious iOS apps
Sophisticated threat actors abused Apple's TestFlight platform to deliver malware-laden iOS applications to targeted victims. Exploiting TestFlight's legitimate beta testing framework allowed attackers to distribute pre-release test software via invite or public links, bypassing Apple's standard App Store review processes and security controls, to deliver malicious payloads directly to users' devices.
Geographic distribution is helping malware evade blocklists
Over 60% of spam emails originated from the United States, 9% from Hong Kong, showing a 5% growth in Q1 2025 and 8% in Q2 2025; 6% from Great Britain; and 25% collectively from other developed countries. This geographic dispersion across spam-sending markets makes IP-based geographic blocking impractical and inadvisable - a vulnerability that attackers deliberately exploit.
Spam sender sources highlight attackers' creative detection-evasion techniques
Attackers used a variety of creative techniques to evade detection and maximize spam delivery.
Most notably, compromised accounts (33%) demonstrate that attackers exploited trusted domains to bypass reputation checks and filters despite email authentication (SPF/DKIM) anomalies. 32% of campaigns exploited free popular services, such as Gmail, Yahoo, and Outlook, alongside lesser-known free relays including GMX, ProtonMail, Zoho, and Yandex.
Misusing the strong IP reputations of bulk mailing services like SendGrid, Mailgun, and Amazon SES, attackers weaponised them either through fake sign-ups or compromised customer accounts.
"Today's cybersecurity threats are succeeding through creative, pinpointed, and strategic sophistication," Usman Choudhary, General Manager, VIPRE Security Group, says. "They're manipulating trusted platforms, layering evasion tactics into seamless attack chains, and using commercial spam as cover for their operations. To counter this, organizations need to deploy equally adaptive and layered defenses. The question isn't whether defenses work today, but rather will they adapt fast enough for tomorrow?"
To read the full report, click here: VIPRE Email Threat Landscape Report: Q3 2025
VIPRE leverages its vast understanding of email security to equip businesses with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock assessment of the cybersecurity landscape.
About VIPRE Security Group
VIPRE Security Group, part of Ziff Davis, Inc., is a leading provider of internet security solutions purpose-built to protect businesses, solution providers, and home users from costly and malicious cyber threats. With over 25 years of industry expertise, VIPRE is one of the world's largest threat intelligence clouds, delivering exceptional protection against today's most aggressive online threats. Our award-winning software portfolio includes next-generation antivirus endpoint cloud solutions, advanced email security products, along with threat intelligence for real-time malware analysis, and high-quality security awareness training for compliance and risk management. VIPRE solutions deliver an easy-to-use, comprehensive layered defense through cloud-based and server security, with mobile interfaces that enable instant threat response. VIPRE is a proud Advanced Technology Partner of Amazon Web Services, operating globally across North America and Europe.
The group operates under various brands, including VIPRE®, StrongVPN®, IPVanish®, Inspired eLearning®, Livedrive®, and SugarSync®. www.VIPRE.com
View original content:https://www.prnewswire.co.uk/news-releases/cybercriminals-deploy-creative-laser-focused-tactics-to-bypass-traditional-email-defenses-vipres-q3-2025-email-threat-report-reveals-302606073.html
