5 web threats that changed email security in 2025

According to Paubox's 2025 Healthcare Email Security Report, HHS Deputy Secretary Andrea Palm warns that "the increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety." These threats have forced security teams to rethink their defenses and adopt new strategies to protect their users and data.

Read also: 10 Email security threats changing cybersecurity defense in 2025

AI-generated phishing campaigns 

According to research published in the Bulgarian Academy of Sciences' Cybernetics and Information Technologies journal, phishing attacks have evolved to employ "sophisticated tactics, enabling threat actors to bypass traditional security measures like MFA."

Unlike traditional phishing attempts that security teams could identify through pattern recognition, these AI-powered campaigns create variations for each target. The emails appear to be legitimate, with the correct grammar, appropriate tone, and relevant information obtained from social media and public databases. According to Paubox's Email Security Report, FBI Special Agent in Charge Robert Tripp notes that "attackers are leveraging AI to craft highly convincing voice or video messages and emails to enable fraud schemes against individuals and businesses alike." When victims click through to credential harvesting pages, the sites use AI to conduct convincing conversations, even asking security questions that seem legitimate.

Research from The Hacker News shows that nearly half of AI-generated code contains security flaws, with their analysis revealing exploitable vulnerabilities in 45 percent of automatically generated code. This same technology that creates vulnerable code powers the phishing campaigns targeting organizations.

According to Phishing Attacks in the Age of Generative Artificial Intelligence: A Systematic Review of Human Factors, advanced AI models can achieve 99 percent accuracy in detecting phishing emails, but attackers use similar technology to create campaigns. This threat has led to email security vendors using their own AI systems capable of behavioral analysis rather than simple pattern matching. 

Read also: AI is making phishing smarter and healthcare systems more vulnerable

QR code attacks bypassing traditional scanners

According to a CNBC report, 73 percent of Americans scan QR codes without verification, and more than 26 million have already been directed to malicious sites. As Dustin Brewer, senior director of proactive cybersecurity services at BlueVoyant, explained to CNBC, "As with many technological advances that start with good intentions, QR codes have increasingly become targets for malicious use. Because they are everywhere — from gas pumps and yard signs to television commercials — they're simultaneously useful and dangerous."

These attacks direct victims to scan a QR code with their mobile devices. Gaurav Sharma, a professor at the University of Rochester, notes in the CNBC article that "the crooks are relying on you being in a hurry and you needing to do something."

After the scan, victims are redirected through multiple web layers, often starting with a legitimate compromised website before being forwarded to credential harvesting pages. This approach makes it difficult for security systems to trace the attack chain.

Brewer warns that "what's especially concerning is that legitimate flyers, posters, billboards, or official documents can be easily compromised. Attackers can simply print their own QR code and paste it physically or digitally over a genuine one, making it nearly impossible for the average user to detect the deception."

Furthermore, Rob Lee, chief of research, AI, and emerging threats at the SANS Institute, told CNBC that "QR codes weren't built with security in mind, they were built to make life easier, which also makes them perfect for scammers. We've seen this playbook before with phishing emails; now it just comes with a smiley pixelated square."

Read also: Top credential harvesting techniques

Browser-in-the-browser attacks through email links

According to the study published in Cybernetics and Information Technologies, these attacks use "a deceptive pop-up login window that mimics a legitimate authentication portal, forcing users to input private credentials." When users click email links that appear to lead to legitimate services, they're taken to websites that display convincing fake browser windows within the actual browser window. These windows replicate everything from the address bar to security indicators, creating what appears to be a legitimate login portal.

According to Sneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar, "BitB is principally designed to mask suspicious phishing URLs by simulating a pretty normal function of in-browser authentication – a pop-up login form."

The article notes that "attackers are continuously innovating their phishing techniques, particularly in the context of an increasingly professionalized PhaaS ecosystem," with Phishing-as-a-Service platforms making BitB attacks accessible even to less-skilled threat actors. However, the article warns that "even if a phishing-resistant login method exists, the presence of a less secure backup method means the account is still vulnerable to phishing attacks." 

Supply chain email compromises via web services

The emails come from the legitimate service, but they've been manipulated to include malicious links or attachments. Examples include compromised project management tools sending fake file sharing notifications, accounting software distributing invoice emails with payment fraud links, or HR platforms delivering employment documents containing malware.

According to The Hacker News reporting on IBM's 2025 analysis, organizations typically require 276 days to identify a breach and an additional 73 days to contain it. This extended detection window allows malicious emails to flow from trusted sources for months before discovery.

Organizations can no longer rely solely on sender reputation and authentication protocols. As Rick Kuwahara, Paubox Chief Compliance Officer, explains, "To stay compliant, organizations must continuously evaluate their implementations. That can mean adding in additional layers of defense." The response has included implementing zero-trust approaches to email content regardless of source, requiring manual verification of any requests involving financial transactions or data sharing, and conducting more thorough vendor security assessments. Email systems now analyze the behavior and content patterns of automated service emails to detect anomalies that might indicate compromise.

Learn more: What is inbound email security?

Adversary-in-the-middle attacks on email web interfaces

According to the Cybernetics and Information Technologies study, Adversary-in-the-Middle attacks "intercept communicating devices, allowing attackers to hijack accounts and access sensitive data." These attacks position malicious infrastructure between users and their email providers, allowing attackers to steal credentials, bypass multi-factor authentication, and even modify email content as it's being sent or received.

The attacks often begin with emails containing links to fake Wi-Fi portals, VPN configurations, or software updates that establish the attacker's position in the communication chain. Once positioned, they can harvest session tokens that provide ongoing access even after users change their passwords. 

Read also: Inbound Email Security

FAQs

Could AI-generated phishing be used to launch insider threats, not just external attacks?

Yes, hyper-personalized AI phishing could be tailored to manipulate trusted employees into unintentionally aiding internal breaches.

Are small healthcare practices at greater risk than larger organizations from these email threats?

Smaller organizations often lack dedicated security teams and advanced tools, making them easier targets.