Types of email platform attacks targeting organizations in 2025

Email remains the primary attack vector for cybercriminals targeting organizations worldwide. Threat actors have refined their techniques, exploiting both human psychology and technological vulnerabilities to breach cybersecurity defenses. 

Read also: 10 Email security threats changing cybersecurity defense in 2025

Business email compromise (BEC)

According to research by Suleman Lazarus in "Cybercriminal Networks and Operational Dynamics of Business Email Compromise (BEC) Scammers," BEC accounted for $50 billion in losses in the United States alone, with the Internet Crime Complaint Center noting that "this figure only represents reported losses, and many more crimes go unreported."

These scams involve attackers impersonating executives, vendors, or trusted business partners to manipulate employees into transferring funds or sharing sensitive information. Unlike traditional phishing, BEC attacks often involve research, with criminals studying organizational hierarchies, communication patterns, and business relationships before striking.

What makes BEC dangerous is its organizational structure. Lazarus found that these networks operate with "exceptional fluidity and specialization," where "cybercriminals involved in BEC activities functioned horizontally, promoting fluidity, maneuverability, collaboration, and specialization." This means BEC operations are adaptive than traditional criminal enterprises, with individuals transitioning between roles depending on the needs of each attack.

Lazarus's research revealed that BEC networks include "individuals from diverse geographical locations, such as Canada, Australia, the United Kingdom, the United States, and Nigeria, all concurrently participating in BEC operations." This transnational coordination allows attackers to exploit time zones, jurisdictional boundaries, and varying levels of cybersecurity awareness across different regions.

AI-powered phishing campaigns

Attackers now use generative AI to create personalized emails. These messages can mimic writing styles, reference specific projects or colleagues, and adapt to different organizational contexts. As noted in Digital Deception: Generative Artificial Intelligence in Social Engineering and Phishing, large language models "can craft highly convincing and personalized phishing emails that are contextually relevant to the recipient, vastly increasing the success rate of such attacks."

AI-powered phishing extends beyond text. Deepfake technology allows criminals to create voice messages and video calls impersonating executives or IT personnel. These multimedia attacks can bypass traditional email security filters and exploit the inherent trust in audio-visual communication. The research further explains that deepfakes enable "impersonation: By creating a near-flawless visual and auditory imitation of a trusted individual - such as colleagues, friends, or family members - malicious actors can convince recipients to carry out tasks or disclose sensitive information." 

Ransomware delivery via email

Modern ransomware campaigns often begin with emails containing malicious attachments or links. Attackers steal sensitive information and threaten to publish stolen data if ransom demands aren't met. Some groups now also threaten to launch DDoS attacks or contact customers directly, adding additional pressure layers on victim organizations

An example of these tactics is the Play ransomware group, which has been active since 2022 and ranked among the most active cyberthreat groups in 2024. According to a joint advisory issued in June 2025 by the FBI, Cybersecurity and Infrastructure Security Agency, and Australian Cyber Security Centre, the group had impacted approximately 900 victims across North America, South America, and Europe as of May 2025. The group targets a wide range of businesses and critical infrastructure, with the health care sector being mostly targeted.

What distinguishes Play ransomware is its unique operational approach. The threat actors operate as a closed group to "guarantee the secrecy of deals," employing a double-extortion model that encrypts systems only after exfiltrating data. Unusually, their ransom notes do not include initial ransom demands or payment instructions; instead, victims must contact the attackers via email to negotiate. 

Supply chain email attacks

Cybercriminals target organizations through their supply chain relationships. These attacks exploit the trust between businesses and their vendors, using compromised supplier email accounts to distribute malware or fraudulent requests. A single compromised vendor can provide access to dozens or hundreds of downstream organizations.

These attacks became evident in a 2023 campaign analyzed in "VEC Campaign Targets Critical Infrastructure Firms with Invoice Fraud Attack," where a single threat actor compromised five different vendor email accounts and successfully delivered invoice fraud attacks to 15 individuals across five customer organizations in critical infrastructure sectors. Supply chain email attacks often involve impersonation of vendor communications, including fake invoices with altered payment details or malicious software updates disguised as legitimate patches.

What makes vendor email compromise dangerous is that emails sent from compromised vendor accounts appear legitimate; the sender's email address and domain are authentic, and the content uses language victims would expect from their vendors. As one analyst noted, these attacks are "harder to spot (or at least harder to foil) than a regular BEC attack" because recipients are less likely to verify requests from vendor contacts they may not know well, especially if they haven't dealt with that specific person before. 

Credential harvesting and account takeover

Attackers create convincing replicas of login pages for popular platforms like Microsoft 365, Google Workspace, or VPN portals. These credential harvesting attacks often leverage urgent pretexts such as security alerts, password expiration notices, or mandatory account verifications.

These attacks have escalated with the emergence of Adversary-in-the-Middle (AiTM) phishing kits. According to SC Media's coverage of "'Sneaky Log' Phishing Kits Slip by Microsoft 365 Accounts," a new AiTM phishing kit targeting Microsoft 365 accounts has demonstrated the ability to intercept both user credentials and two-factor authentication, effectively bypassing anti-phishing defenses such as email and secure web gateways. These phishing pages, which have been circulating since at least October 2024, are sold as Phishing-as-a-Service kits through a cybercrime service called "Sneaky Log" operating via Telegram.

The phishing links are crafted to pass the victim's email address to the login page, enabling autofill functionality that mimics legitimate website behavior. The attackers piggyback on compromised legitimate websites with reputable URLs and use Cloudflare's free firewall service with CAPTCHA and AI-based anti-bot measures to block web security crawlers, making the attack effectively invisible to traditional network security tools. If a visitor is detected as a bot, the page displays harmless content or redirects to legitimate sites like Wikipedia, further evading automated detection.

Malicious QR code campaigns

QR code phishing, or "quishing," has emerged as a threat vector. Attackers embed malicious QR codes in emails that, when scanned with mobile devices, redirect users to phishing sites or trigger malware downloads. This technique bypasses traditional email security solutions that focus on URL and attachment scanning.

Research detailed in Hooked: A Real-World Study on QR Code Phishing found that in distribution campaigns, 61% of QR codes in flyers were scanned at least once, demonstrating user engagement with this attack vector. More concerning is user behavior regarding security awareness, a survey of 132 participants revealed that while approximately half had concerns about QR code security, they used QR codes nonetheless, and more than one-third had no concerns at all and were not aware of any security risks associated with QR codes.

The mobile-first nature of QR code attacks presents challenges. Users scanning codes on their smartphones may be less vigilant than when clicking links on computers, and mobile devices often have fewer security controls. The research identified that functionality and accessibility were the primary reasons users scan QR codes (70.73%), followed by curiosity (26.02%), with convenience cited as the biggest factor in disclosing personal information. 

Conversation hijacking attacks

Thread hijacking is when criminals insert themselves into existing email conversations. After compromising an account, attackers monitor ongoing discussions and inject malicious links or attachments into active threads. Because these messages appear within legitimate conversation chains from trusted contacts, recipients are far more likely to engage with malicious content.

According to the University of Salford Manchester’s article on conversation hacking, "More sophisticated attacks have surfaced where the attacker will converse with an employee and pretend to be a more senior member of staff. This sometimes results in the conversation being continued on a less formal platform where they can bypass any corporate security protections."

Read also: Inbound Email Security

FAQs

Can small businesses fall victim to supply chain email attacks even without large vendor networks?

Yes, attackers can exploit any vendor relationship, including small or local suppliers, to gain access to systems.

How long does it typically take attackers to execute a BEC operation?

BEC attacks can take weeks or months, as criminals often spend time researching organizational hierarchies and communication habits.

How do attackers monetize credential harvesting besides account takeover?

Stolen credentials can be sold on dark web marketplaces, used for identity theft, or leveraged for further phishing campaigns.