Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

99% of phishing emails that reached inboxes last year did not contain malware, according to a new report from Fortra. Attackers were much more successful using malicious links or purely response-based social engineering. Fortra explains, “Anti-malware scanning, sandboxing, and other pre-delivery security processes are increasingly common and make it more difficult for emails containing malware payloads to reach user inboxes.

As of January 17, 2025, the Digital Operational Resilience Act (DORA) came into force across all European Union member states, with the crucial aim of strengthening the IT security of financial entities such as banks, insurance companies and investment firms. To do this, the regulation looks to standardize how financial entities report cybersecurity incidents, test their operational resilience, and manage third-party risk.

The Network and Information Systems Directive 2022 (NIS2) was designed to strengthen the cybersecurity resilience of critical infrastructure across the European Union. However, while member states were required to transpose NIS2 into national law by October of 2024, many fell short of this deadline. As a result, on November 28, 2024, the European Commission launched infringement procedures against 23 member states for failing to meet their obligations.

A KnowBe4 Threat Lab Publication Authors: By James Dyer, Threat Intelligence Lead at KnowBe4 and Lucy Gee, Cybersecurity Threat Researcher at KnowBe4 On March 3, 2025, the KnowBe4 Threat Labs team observed a massive influx of phishing attacks originating from legitimate Microsoft domains. KnowBe4 Defend detected activity starting on February 24th, with a peak on March 3rd, when 7,000 attacks from microsoft-noreply@microsoft.com were recorded within a 30-minute window.

INKY has published its annual report on email security, finding that phishing accounted for 30% of all reported cybercrimes last year. “Phishing threats grew in both volume and sophistication, introducing new attack vectors like QR codes, cross-site scripting, and weaponized file types (e.g., RTF and DOT),” the report says. “Cybercriminals also increasingly exploited trusted services such as DocuSign and PayPal, underscoring the urgent need for adaptive, robust security solutions.”

The average amount of money requested in business email compromise (BEC) attacks spiked to $128,980 in the fourth quarter of 2024, according to the Anti-Phishing Working Group’s (APWG’s) latest report. This is nearly double the amount requested during Q3 2024. The researchers found that Gmail accounts were used to launch 81 percent of BEC scams last quarter. The report also warns of a surge in SMS phishing scams impersonating toll operators in the US, driven by a popular Chinese phishing kit.

Phishing-as-a-service (PhaaS) platforms drove a surge in phishing attacks in the first two months of 2025, according to researchers at Barracuda. PhaaS platforms, which provide criminals with a ready-made kit for launching advanced phishing attacks, were responsible for more than a million attacks in January and February. Three PhaaS platforms accounted for nearly all of these attacks, with the Tycoon 2FA kit dominating the market.

We recently conducted research in Denmark and Sweden to understand security culture in local organizations better. This research reveals a critical vulnerability in Danish and Swedish organizations - nearly 70% of employees in Denmark and 72% of employees in Sweden receive no cybersecurity training at their workplace. This gap in security awareness creates vulnerabilities that could affect organizations at every level.

Bitdefender warns that a major ad fraud campaign in the Google Play Store resulted in more than 60 million downloads of malicious apps. The attackers managed to place at least 331 malicious apps in the Play Store. In addition to displaying full-screen ads, some of the apps also directed users to phishing sites designed to harvest their credentials. “Most applications first became active on Google Play in Q3 2024,” Bitdefender says.

In today’s world, cybersecurity is more critical than ever. Organizations and individuals alike face a constant barrage of cyber threats, and often, the weakest link in our defenses is something as simple as a password. Recently, KnowBe4 has shed light on a concerning trend in Denmark and Sweden: a significant number of employees aren't using strong passwords.