Phishing and ransomware attacks spiked in October 2025, with threat actors increasingly using legitimate platforms like Google and Figma to compromise corporate systems.
According to Cyber Security News, October 2025 saw a notable rise in phishing and ransomware activity targeting enterprises across multiple sectors. Cybercriminals increasingly abuse trusted cloud platforms such as Google, Figma, and ClickUp to bypass traditional security filters and harvest credentials. Concurrently, ransomware operations like LockBit expanded into cross-platform attacks, affecting virtual machines and hypervisors.
Analysis from cybersecurity firms showed an urgent need for behavior-based threat detection as attackers shifted from static malware signatures to more evasive, cloud-based delivery methods.
Phishing campaigns in October showed new levels of sophistication. One campaign impersonated Google Careers to target tech and consulting professionals. Attackers used Salesforce redirects, CAPTCHAs powered by Cloudflare Turnstile, and fake application pages to steal login credentials, often directing victims to domains such as satoshicommands.com.
Figma was also weaponized by attackers who embedded malicious links in shared prototype documents, which mimicked Microsoft login pages. These attacks often bypassed email filters because Figma’s domain was trusted, and they were linked to threat actor Storm-1747.
ClickUp’s doc.clickup.com subdomain was exploited to redirect victims through Microsoft and Azure-hosted microdomains. This method mimicked regular collaboration workflows and proved difficult for security teams to detect using standard whitelisting.
Another major threat was TyKit, a phishing kit that hides malicious JavaScript inside SVG files. It resurged in October, targeting sectors such as finance, government, and telecom. TyKit used advanced techniques like anti-debugging, base64 obfuscation, and attacker-in-the-middle (AitM) credential theft, leading to widespread account takeovers.
On the ransomware side, LockBit 5.0 emerged with the ability to infect not just Windows, but also Linux and VMware ESXi environments. The malware used DLL reflection and obfuscation to avoid detection and could simultaneously encrypt multiple virtual machines. Enterprises across North America, Europe, and Asia reported disruptions, particularly in data centers hosting virtualized infrastructure.
Security researchers stated that static tools often miss these new attack chains. Instead, they recommend sandbox detonation, phishing-resistant MFA, and proactive domain monitoring as defense strategies.
October’s surge in phishing and ransomware shows how attackers are now turning the tools we trust most into entry points. Services like Google, Figma, and ClickUp are being used to host and deliver malicious links, letting phishing campaigns slip past traditional filters. At the same time, ransomware groups such as LockBit are expanding into virtualized environments, making containment harder and the impact broader. The pattern is clear: cybercriminals are blending into normal business workflows, using familiar platforms and realistic prompts to reach users directly.
Security teams are responding by shifting toward behavior-based detection and real-time monitoring instead of relying only on static signatures. Solutions such as Paubox Inbound Email Security add an extra layer of protection by using generative AI to recognize the tone and intent behind messages, helping stop threats that appear legitimate at first glance. Together with phishing-resistant MFA and regular domain monitoring, these steps help close the gaps that trusted platforms can unintentionally create.
Attackers exploit the trust that users and email filters place in these services. By using legitimate domains, they can elude security systems and increase the likelihood of user engagement.
TyKit is a phishing kit that hides malicious JavaScript inside SVG files. Its ability to bypass static detection and target multiple sectors with advanced evasion tactics makes it a persistent threat.
LockBit 5.0 can now target Windows, Linux, and VMware ESXi environments, expanding its reach to virtualized infrastructure and making it more difficult for IT teams to contain.
AitM phishing intercepts credentials during real-time sessions by placing the attacker between the user and a legitimate service, allowing full session hijacking even when MFA is used.
Implement phishing-resistant MFA, monitor redirect patterns and suspicious domains, run behavioral detection in sandboxes, enforce VPN access, and routinely rehearse response playbooks.