This report analyzes the evolution of email threats in 2025, focusing on trends like thread hijacking, QR code scams, and various phishing tactics. It provides insights into how attacks are becoming more customized and recommends strategies for 2026.

Check Point Research reveals that the cyber threat group Scattered Spider is expanding its attacks to include aviation and enterprise sectors, employing sophisticated phishing techniques to compromise organizations. Recent incidents, including a major breach affecting Qantas, highlight the group's tactics such as MFA fatigue and voice phishing, prompting a call for enhanced security measures across affected industries. The report outlines specific phishing domain patterns and offers defensive strategies to mitigate these emerging threats.

A new FileFix social engineering attack mimics Meta account suspension alerts to deceive users into installing the StealC infostealer malware. It utilizes a multi-language phishing page that instructs victims to copy a disguised PowerShell command into the File Explorer address bar, ultimately leading to the execution of malicious code hidden within a JPG image. Acronis highlights the evolution of this attack method and emphasizes the need for heightened awareness against such sophisticated phishing tactics.

A sophisticated phishing scheme named BeaverTail masquerades as a job offer for an AI engineering role, tricking developers into executing malicious code from a fake GitHub repository. This malware operates in five stages, stealing sensitive information, establishing remote access, and deploying additional malicious components while exploiting trust through social engineering tactics.

Russian hackers have successfully bypassed Gmail's multi-factor authentication by employing sophisticated social engineering tactics to obtain app-specific passwords from targeted academics and critics of Russia. The attackers impersonated U.S. Department of State officials, convincing victims to share their passwords under the pretense of accessing a secure communication platform. Security researchers have linked these activities to the state-sponsored group APT29, known for attacking high-profile targets since 2008.

Cybercriminals are impersonating job seekers to deliver ransomware through malicious resumes. By establishing trust on platforms like LinkedIn and using phishing tactics, they manipulate recruiters into opening harmful files. Security experts advise organizations to implement stricter measures to protect against these sophisticated social engineering attacks.