Cybercriminals Deploy Creative, Laser-Focused Tactics to Bypass Traditional Email Defenses, VIPRE’s Q3 2025 Email Threat Report Reveals

VIPRE Security Group, a global leader and award-winning cybersecurity, privacy, and data protection company, has released its Q3 Email Threat Landscape Report.

Processing and analysing 1.8 million emails, this report highlights the most critical email security threat trends identified in Q3 2025, to help organizations strengthen their email defense strategies against the creative, sophisticated, and highly targeted tactics of threat actors, designed to circumvent traditional cybersecurity measures.

Commercial clutter, the perfect cover for cyberthreats

Legitimate but “spammy” commercial messages dominated this quarter at 60%, up 34% year-on-year. Phishing messages rose to 23% from 20%, while scams dropped to 10% from 34%. This flood of routine commercial clutter is designed to desensitize even the most security-conscious users, making malicious emails blend seamlessly into the noise. When inboxes overflow with legitimate-looking messages, users become less vigilant about what they click on.

Overall, more than a third of all spam emails are maliciously designed to cause harm, encompassing phishing attempts, scams, and malware.

Cold outreach marketing and shotgun list bombing dominate commercial spam  

Within the 60% commercial spam category, cold outreach marketing emails dominated with 72% of the cases. List bombing claimed another 16%, a tactic where attackers maliciously subscribe victims to hundreds or thousands of mailing lists, newsletters, or promotional sign-ups simultaneously, flooding their inboxes with unwanted content. This overwhelming deluge frustrates users but serves as the perfect smokescreen for concealing genuine threats among the chaos.

Newly registered domains on the rise for phishing, but open redirects preferred

Threat actors increasingly registered large numbers of domains to launch temporary phishing sites, quickly deactivating them upon discovery to evade detection and blacklisting. This trend stresses that traditional blacklisting of email domains and signature-based detection measures alone are inadequate.

However, despite the success of newly registered domains, compromised URLs or open redirects remain attackers’ preferred phishing vector, employed in 80% of campaigns. Newly registered domains account for only the remaining 20%, but is a trend to watch.

Outlook and Google mailboxes top targets for credential harvesting  

Attackers are concentrating their efforts on the world’s two largest business and personal email platforms, Outlook and Google, which today form 90% of observed phishing attacks. This strategic focus is enabling threat actors to maximize efficiency by reducing the research and customization required for individual campaigns.

Fetch API emerges as preferred data exfiltration method

One-third of phishing attacks leveraged Fetch API, a sophisticated JavaScript interface for network requests, to exfiltrate stolen credentials. By comparison, fewer than 10% of attacks used POST requests – the traditional HTTP method for transmitting data to servers. This trend suggests attackers are adopting more advanced techniques that may evade conventional security detection mechanisms designed to monitor standard POST-based data transfers.

Apple TestFlight exploits to distribute malicious iOS apps 

Sophisticated threat actors abused Apple’s TestFlight platform to deliver malware-laden iOS applications to targeted victims. Exploiting TestFlight’s legitimate beta testing framework allowed attackers to distribute pre-release test software via invite or public links, bypassing Apple’s standard App Store review processes and security controls, to deliver malicious payloads directly to users’ devices.

Geographic distribution is helping malware evade blocklists

Over 60% of spam emails originated from the United States, 9% from Hong Kong, showing a 5% growth in Q1 2025 and 8% in Q2 2025; 6% from Great Britain; and 25% collectively from other developed countries. This geographic dispersion across spam-sending markets makes IP-based geographic blocking impractical and inadvisable – a vulnerability that attackers deliberately exploit.

Spam sender sources highlight attackers’ creative detection-evasion techniques 

Attackers used a variety of creative techniques to evade detection and maximize spam delivery.

Most notably, compromised accounts (33%) demonstrate that attackers exploited trusted domains to bypass reputation checks and filters despite email authentication (SPF/DKIM) anomalies. 32% of campaigns exploited free popular services, such as Gmail, Yahoo, and Outlook, alongside lesser-known free relays including GMX, ProtonMail, Zoho, and Yandex.

Misusing the strong IP reputations of bulk mailing services like SendGrid, Mailgun, and Amazon SES, attackers weaponised them either through fake sign-ups or compromised customer accounts.

“Today’s cybersecurity threats are succeeding through creative, pinpointed, and strategic sophistication,” Usman Choudhary, General Manager, VIPRE Security Group, says. “They’re manipulating trusted platforms, layering evasion tactics into seamless attack chains, and using commercial spam as cover for their operations. To counter this, organizations need to deploy equally adaptive and layered defenses. The question isn’t  whether defenses work today, but rather will they adapt fast enough for tomorrow?”

To read the full report, click here: Email Threat Trends Report: Q3 2025

VIPRE leverages its vast understanding of email security to equip businesses with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock assessment of the cybersecurity landscape.