July 30, 2025 4 Minute Read

It seems everyone loves phishing attacks.

Trustwave's Ed Williams, vice president of SpiderLabs, during a recent Trustwave webinar, discussed the ongoing threat posed by the increasingly sophisticated phishing incidents that remain the primary vector for initial access in cyberattacks.

What Williams interestingly noted was that threat actors are not the only group using phishing to gain access to organizations. It's also the preferred method used by cybersecurity professionals conducting penetration tests and red and purple teaming exercises.

Why? Because, unfortunately, it works the majority of the time, which makes it a great weapon, but this very fact also makes it a great teaching tool.

Trustwave has introduced the Trustwave Managed Phishing for Microsoft, which is designed to educate employees on recognizing and responding to phishing emails. But more on this later.

First, Some Facts and Figures: The Surge in Quishing and AI-Enhanced Attacks

The most recent FBI numbers show phishing was the most reported cybercrime last year, with 193,407 complaints, alongside 21,442 cases of business email compromise (BEC). This data confirms what security experts have long advised: a layered email security strategy is no longer optional; it's a necessity.

The financial ramifications of successful phishing attacks are substantial, with an estimated $55 billion lost due to business email compromise (BEC) incidents, which are usually a direct spin-off from a phishing incident.

Successful initial compromise via phishing often enables attackers to achieve lateral movement within an organization, leading to further malicious activities, such as injecting ransomware into a system.

The success phishing enjoys has spurred attackers to adopt related styles of attacks, such as quishing, Williams noted. There has been a 500% increase in "quishing" attacks, which leverage QR codes, and it is an issue that Trustwave often comes across. The success of these attacks is largely attributed to the current limitations of security infrastructures in detecting and analyzing malicious QR codes, and sometimes general ignorance among the recipients that a QR code can even be dangerous.

Trustwave MailMarshal's engine was updated last year to identify QR codes within emails, ensuring our detection filters catch an associated malicious activity. AI powers these engines to identify and recognize patterns to detect quishing attacks and eliminate the threat before it hits a client's inbox.

The increasing sophistication of phishing campaigns is further amplified by the integration of Artificial Intelligence (AI). AI tools allow threat actors to craft highly convincing and complex phishing scenarios with greater ease and scale, posing a significant challenge for defensive measures.

Key Phishing Tactics and Observations

During the webinar, Williams analyzed the current threat landscape, revealing several predominant phishing tactics:

• Phishing-as-a-Service (PhaaS): The proliferation of cloud platforms such as AWS, Google Cloud, and Microsoft Azure has facilitated the emergence of PhaaS, enabling less sophisticated attackers to launch wide-ranging global phishing campaigns.
• Abuse of Legitimate Platforms: Widely used and trusted platforms such as DocuSign and Dropbox are frequently exploited. Their widespread legitimate use makes it challenging to differentiate between legitimate and malicious activity, creating a constant "cat and mouse" dynamic for security teams.
• URL Open Redirects: This classic technique continues to be effective, allowing attackers to redirect users through trusted domains to malicious sites. The scale and ease of deployment for these attacks have been significantly amplified by advancements in AI and cloud infrastructure, making it easier for even non-expert attackers to execute sophisticated campaigns.

Prominent Attachment Types in Phishing Campaigns

The following attachment types, which are generally considered safe by a recipient, are frequently employed in phishing attacks, according to Trustwave research:

• HTML: HTML continues to be a highly effective and commonly used format for delivering phishing content, and despite long-standing awareness, executable files surprisingly remain a successful vector for initial compromise.

  In one case, an HTML-based campaign was entirely self-contained, meaning all necessary code was within the HTML file itself. When opened, it locally rendered a deceptive online banking page, designed to trick users into submitting their credentials.

• PDF: The complexity of PDF files allows threat actors to embed malware, making it difficult to detect. Tactics such as delivering a malicious CV in PDF format to human resources departments are consistently effective, as they are expected and requested by the HR staff. Similarly, Excel spreadsheets are frequently used to target finance personnel, who are accustomed to opening such files for the same reasons.

  One PDF-based attack, Williams noted, involved a PDF with Double Decode and 2FA Bypass. This sophisticated attack involved a PDF file that contained an embedded QR code. This "double decode" mechanism made detection extremely difficult for gateway software. The campaign was successful in bypassing a two-factor authentication (2FA) mechanism, emphasizing that while 2FA is a crucial security layer, it is not a complete solution.
  

• QR Code: This leads us to the QR Code attack method. As previously mentioned, this involves sending QR codes that, when scanned by a mobile device or computer, direct the user to a fake email verification page, aiming to capture credentials for subsequent use.
• SVG (Scalable Vector Graphics): SVG image files have gained popularity due to their complexity, which allows for the embedding of code that can initiate further malicious actions. For example, a victim from the Middle East was hit with an SVG file containing obfuscated JavaScript code. Upon execution, the JavaScript, designed to evade gateway detection due to its complexity, redirected the user to a phishing page for credential harvesting.

While some of these methods may seem outdated, their continued success highlights persistent vulnerabilities that organizations must address at their network perimeters. And these methods will continue to be used as long as they are successful.

Trustwave Managed Phishing Service

Trustwave's Managed Phishing for Microsoft is a service designed specifically for organizations leveraging Microsoft Office 365 and Defender for Office (E5 or equivalent). While Microsoft email security's native tools are a strong foundation, today's AI-enhanced phishing attacks demand greater protection, faster response, and more ongoing user awareness than most internal teams can support on their own.

The service's key components include:

• Technology Management: The Trustwave team manages the initial setup and ongoing configuration of phishing-related policies, rules, and tuning. This ensures optimal protection without overburdening your internal IT team.
• Detection Enhancement: Backed by the world-renowned SpiderLabs threat research team, Trustwave applies cutting-edge techniques and our proprietary AI/ML email security engines to detect even the most evasive phishing campaigns before reaching your users' inboxes. This multi-layered protection reduces threat exposure by over 99%, closing gaps left by standard Microsoft filtering.
• Phishing Simulations: Regular, targeted simulations based on real-world phishing campaigns help test and improve user behavior. Trustwave customizes the experience based on your environment and threat landscape, delivering phishing simulations on a monthly basis. Each campaign includes user-level reporting and actionable next steps.
• Phishing Threat Response: 24/7 analysis, investigation, and response to suspected phishing emails. The service proactively identifies and neutralizes phishing threats, including user-reported phishing and malware incident alerts that bypass Microsoft's native tools.
• Reporting and Intelligence: Ongoing analysis of user behavior, attack patterns, and emerging phishing trends leads to intelligent tuning of your security posture. Trustwave experts provide strategic recommendations based on live threat data and client-specific insights.