Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Organizations face continuous threats from phishing, business email compromise (BEC), and other advanced email attacks. Attackers adapt their tactics daily, forcing defenders to move just as quickly to keep inboxes safe. Cloudflare’s visibility across a large portion of the Internet gives us an unparalleled view of malicious campaigns. We process billions of email threat signals every day, feeding them into multiple AI and machine learning models.

In recent months, Trustwave SpiderLabs, A LevelBlue Company, saw a significant increase in phishing URLs containing familiar patterns, similar phishing templates, and a resurgence in the use of email marketing platforms. The use of URL redirectors, along with the abuse of Amazon Web Hosting and Cloudflare services, was also widely observed. Trustwave operates a URL-scanning system that we call PageML.

Attackers are using a newly discovered phishing-as-a-service (PhaaS) platform dubbed “Salty 2FA” to target a wide range of industries across North America and Europe, according to researchers at ANYRUN. The phishing attacks are delivered via email and primarily attempt to steal Microsoft 365 credentials. Like many popular commodity phishing kits, Salty 2FA is designed to bypass a variety of multifactor authentication measures.

Cybercriminals are increasingly abusing AI-assisted website generators to quickly craft convincing phishing sites, according to researchers at Palo Alto Networks’ Unit 42. In many cases, even when these services have safeguards in place to prevent abuse, criminals are able to bypass these measures in order to create phishing pages. Unit 42 tested a popular website generator to see how easy it was to spin up a spoofed website.

Attackers are using a Japanese Unicode character to replace forward slashes in phishing URLs, BleepingComputer reports. The attacks impersonate Booking.com with phony emails that inform users of a new login to their account. “The attack, first spotted by security researcher JAMESWT, abuses the Japanese hiragana character “ん” (Unicode U+3093), which closely resembles the Latin letter sequence '/n' or '/~', at a quick glance in some fonts,” BleepingComputer explains.

Professional phishing groups are targeting customers of brokerage firms in order to manipulate stock prices, KrebsOnSecurity reports. The attackers use a technique called “ramp and dump” to profit from the scheme. “With ramp and dump, the scammers do not need to rely on ginning up interest in the targeted stock on social media,” Krebs explains.

Phishing attacks impersonating HR are on the rise. Between January 1 – March 31, 2025, our Threat Lab team observed an 120% surge in these attacks reported via our PhishER product versus the previous three months. These attacks have remained at elevated levels since peaking in February. (FYI in our previous post, we explored the psychology that makes these attacks so effective.

It’s no secret that in cybersecurity, many attacks begin with some form of “‑ishing.” But what exactly are these tactics and who’s behind them? From classic phishing emails to more advanced impersonation schemes using AI and social platforms, attackers continue to evolve their methods to exploit human behavior. Understanding the full spectrum of “‑ishing” techniques is critical for organizations looking to protect their people, data, and reputation.