Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

A KnowBe4 Threat Lab Publication Authors: By James Dyer, Threat Intelligence Lead at KnowBe4 and Lucy Gee, Cybersecurity Threat Researcher at KnowBe4 On March 3, 2025, the KnowBe4 Threat Labs team observed a massive influx of phishing attacks originating from legitimate Microsoft domains. KnowBe4 Defend detected activity starting on February 24th, with a peak on March 3rd, when 7,000 attacks from microsoft-noreply@microsoft.com were recorded within a 30-minute window.

INKY has published its annual report on email security, finding that phishing accounted for 30% of all reported cybercrimes last year. “Phishing threats grew in both volume and sophistication, introducing new attack vectors like QR codes, cross-site scripting, and weaponized file types (e.g., RTF and DOT),” the report says. “Cybercriminals also increasingly exploited trusted services such as DocuSign and PayPal, underscoring the urgent need for adaptive, robust security solutions.”

The average amount of money requested in business email compromise (BEC) attacks spiked to $128,980 in the fourth quarter of 2024, according to the Anti-Phishing Working Group’s (APWG’s) latest report. This is nearly double the amount requested during Q3 2024. The researchers found that Gmail accounts were used to launch 81 percent of BEC scams last quarter. The report also warns of a surge in SMS phishing scams impersonating toll operators in the US, driven by a popular Chinese phishing kit.

Phishing-as-a-service (PhaaS) platforms drove a surge in phishing attacks in the first two months of 2025, according to researchers at Barracuda. PhaaS platforms, which provide criminals with a ready-made kit for launching advanced phishing attacks, were responsible for more than a million attacks in January and February. Three PhaaS platforms accounted for nearly all of these attacks, with the Tycoon 2FA kit dominating the market.

We recently conducted research in Denmark and Sweden to understand security culture in local organizations better. This research reveals a critical vulnerability in Danish and Swedish organizations - nearly 70% of employees in Denmark and 72% of employees in Sweden receive no cybersecurity training at their workplace. This gap in security awareness creates vulnerabilities that could affect organizations at every level.

Bitdefender warns that a major ad fraud campaign in the Google Play Store resulted in more than 60 million downloads of malicious apps. The attackers managed to place at least 331 malicious apps in the Play Store. In addition to displaying full-screen ads, some of the apps also directed users to phishing sites designed to harvest their credentials. “Most applications first became active on Google Play in Q3 2024,” Bitdefender says.

In today’s world, cybersecurity is more critical than ever. Organizations and individuals alike face a constant barrage of cyber threats, and often, the weakest link in our defenses is something as simple as a password. Recently, KnowBe4 has shed light on a concerning trend in Denmark and Sweden: a significant number of employees aren't using strong passwords.

There are thousands of people worldwide trying to scam you, hoping they can make you a victim, steal your money, and harm you in some way. While some of it is done by individuals or small gangs of people, a lot of it happens on an industrialized scale. In countries around the world, there are large teams of people living and working together, controlled by managers, with profits going up the corporate ladder to people who think they are the next Elon Musk.

Our latest Phishing Threat Trends Report explores the evolving phishing landscape in 2025, from renewed tactics to emerging attack techniques. Ransomware may be an “old” threat, but new tactics are making people more susceptible than ever. In this edition, we break down a highly advanced attack detected by KnowBe4 Defend that bypassed native security and a secure email gateway (SEG)—and would have been nearly impossible to stop if launched.

Threat actors are abusing Microsoft’s infrastructure to launch phishing attacks that can bypass security measures, according to researchers at Guardz. The attackers compromise multiple Microsoft 365 tenants in order to generate legitimate transaction notifications that contain phishing messages.

Business email compromise (BEC) attacks rose 13% last month, with the average requested wire transfer increasing to $39,315, according to a new report from Fortra. “The average amount requested from BEC wire transfer attackers was $39,315 in February compared to $24,586 in January 2025, an increase of 60%,” the report says.

A phishing campaign is impersonating travel agency Booking.com to target employees in the hospitality industry, according to researchers at Microsoft. The attacks use a social engineering technique called “ClickFix” to trick victims into downloading malware.

Our recent research reveals a concerning discrepancy between employees' confidence in their ability to identify social engineering attempts and their actual vulnerability to these attacks. While 86% of respondents believe they can confidently identify phishing emails, nearly half have fallen for scams in the past. This disconnect between perceived competence and demonstrated vulnerability, the "confidence gap", poses a substantial risk to organizations. The Danger of Overconfidence.

My two previous recent postings on AI covered “Agentic AI” and how that impacts cybersecurity and the eventual emergence of malicious agentic AI malware. Both of those articles started to touch on the idea of automated agentic AI defenses. This posting goes into a little more detail on what agentic AI defenses might mean. It starts with agentic AI, which is a collection of automated programs (i.e., bots or agents) working toward a common goal.

A KnowBe4 Threat Lab publication Authors: Martin Kraemer, Jeewan Singh Jalal, Anand Bodke, and James Dyer EXECUTIVE SUMMARY: We observed a 98% rise in phishing campaigns hosted on Russian (.ru) top-level domains (TLDs) from December 2024 to January 2025, primarily used for credential harvesting. These Russian.ru domains are run by so-called “bullet-proof” hosting providers, that are known to keep malicious domains running and ignore abuse reports which is ideal for cybercriminals.

Group-IB has published a report on SIM swapping attacks, finding that attackers continue to use social engineering to bypass technical security measures. SIM swapping is a technique in which an attacker takes over a victim’s phone number, which enables them to access the victim’s accounts. This involves tricking the telecom operator into reassigning the victim’s phone number to a SIM card controlled by the attacker.

I infrequently get emails from customers who are frustrated because their employer sent out some legitimate mass email to all employees that unfortunately had all the hallmarks of a malicious phishing attack. Everyone gets worked up about it and a large percentage of people report it as a possible phishing attack. And it is not. It is just frustrating. Sound familiar?

Microsoft warns that a widespread malvertising campaign hit nearly one million devices around the world. The campaign, which began on illegal streaming sites, impacted both consumer and enterprise devices across a wide range of industries. “Analysis of the redirector chain determined the attack likely originated from illegal streaming websites where users can watch pirated videos,” Microsoft says.

Artificial Intelligence (AI) is no longer just a tool—it is a game changer in our lives, our work as well as in both cybersecurity and cybercrime. While organizations leverage AI to enhance defences, cybercriminals are weaponizing AI to make these attacks more scalable and convincing .

The KnowBe4 Threat Research team has observed a sustained increase in the use of Scalable Vector Graphics (SVG) files to obfuscate malicious payloads. SVGs are vector based, rather than pixel-based like PNGs and JPGs. This means the graphic elements can be scaled up without loss of quality - making them perfect for sharing graphics, such as logos and icons, via email.

In the realm of cybersecurity, perception often diverges from reality. A common misconception is that nation-state cybercriminals primarily target the United States. However, recent evidence suggests a more ubiquitous threat landscape, with significant activities targeting the UK, Australia and other regions globally. The notion that certain countries are immune to sophisticated cyberattacks is not just outdated—it's dangerous.

I’ve been in the cybersecurity industry for over 36 years. Surprisingly, hackers and malware haven't changed all that much. The malware today is not all that different from the stuff I was disassembling for John McAfee back in the late 1980s and early 1990s. A lot of the involved programming languages, technology and communication channels have changed, but not how malware operated and what it did. We had ransomware back in 1989. We had polymorphic, crypto-morphing malware back then.

A KnowBe4 Threat Lab Publication Authors: Martin Kraemer, James Dyer, and Lucy Gee Much like sending a phishing email from a compromised account, cybercriminals can boost the deliverability and credibility of their attacks by leveraging legitimate platforms. Notably, there has been a growing proportion sent using the popular accounting software Intuit QuickBooks. Our Threat Research team has observed a 36.5% increase in the use of this platform since January 1, 2025.

Ever since OpenAI publicly released ChatGPT in late 2022, people have been predicting the end of programmers. Supposedly, AI can do anything programmers can do. While I’m not convinced all programmers are going away, I wouldn’t want to be a brand new programmer, and I do think the field is definitely going to change, if not significantly shrink over time. I’m not going out on much of a limb in saying this as almost everyone thinks this. Microsoft CEO Satya Nadella thinks this.

Researchers at Barracuda observed a fourfold increase in ransomware threats last year, driven by increasingly sophisticated ransomware-as-a-service (RaaS) operations. “The developers behind RaaS platforms often have the time, resources, and skills to invest heavily in advanced and evasive toolsets and templates,” Barracuda explains.

A new report from Arctic Wolf has found that 96% of ransomware attacks now involve data theft as criminals seek to force victims to pay up. “As potential victims implemented more reliable backup and restoration processes, ransomware operators introduced data exfiltration as a means to apply additional pressure and protect their revenue streams,” Arctic Wolf says.

The European Union's AI Act is ushering in a new era of workplace requirements, with AI literacy taking center stage. Under Article 4, organizations must now ensure their workforce is sufficiently AI-literate - but what does this really mean for your organization? The AI Act requires organizations to provide adequate AI training to staff and operators. This training must account for technical knowledge, experience, educational background, and the context in which AI systems are used.

Recently, Dr. Martin J. Kraemer, Security Awareness Advocate at KnowBe4, and Dr. William Seymour, Lecturer in Cybersecurity at King’s College London released a Whitepaper called: “Cybersecurity Information Sharing as an Element of Sustainable Security Culture,” which examines how people consume and share cybersecurity information, revealing the role that workplace training plays in fostering information sharing among colleagues.

Researchers at Juniper Threat Labs warn that phishing attacks are utilizing a new obfuscation technique to hide malicious JavaScript. “While investigating a sophisticated phishing attack targeting affiliates of a major American political action committee (PAC) in early January 2025, Juniper Threat Labs observed a new JavaScript obfuscation technique,” the researchers write.

KnowBe4’s Threat Lab recently observed a phishing campaign targeting educational institutions. Over a 30 day period, 4,361 threats were reported, originating from 40 unique sender domains. 65% of these domains were compromised educational institution IDs. The ultimate aim of these attacks was to harvest credentials resulting in the potential data loss, compromise and further phishing emails.