What’s happening
Cyber‑attackers are evolving well beyond mass‑spam blasts and generic phishing emails. Modern threats are characterised by:
- Highly targeted campaigns (spear‑phishing, business email compromise) rather than one‑size‑fits‑all. (Critical Start)
- Use of generative AI, natural language generation, and context‑aware content to craft convincing emails that mimic legitimate communications. (ConsultCra)
- Evasion techniques designed to bypass traditional filters and gateways: e.g., open‑redirects, newly‑registered domains, SVG/HTML attachments, trusted‑service abuse. (PR Newswire)
- Exploiting compromised or high‑reputation domains and services to deliver malicious email, thus avoiding the “bad sender” reputation flag. (PR Newswire)
- Multi‑stage attack flows inside email: using attachments that embed links, layered redirections, JavaScript in unexpected file types, vs direct malware. (Cyber Security News)
- Attacks timed for busy periods or aligned with business workflows so users are less vigilant. (ConsultCra)
In essence, the threat actors are using smarter tactics to get past email authentication, reputation‑based filters, and sandboxing.
Case Studies
Case Study 1 – Commercial “Clutter” as Cover for Phishing
In the Q3 2025 report by VIPRE Security Group, processing 1.8 million emails, they found that 60% of email traffic was legitimate but “spam‑like” commercial messages (up 34% year‑on‑year). Attackers use this flood of benign‑looking mail as camouflage, embedding malicious links or attachments inside traffic that looks normal. (PR Newswire)
Insight: When attackers blend into noise, traditional spam‑filters (which rely on unusual sender/volume patterns or known malicious links) become less effective because the malicious mail hides in plain sight.
Case Study 2 – Sophisticated Phishing Kits & Evasion
In a Q2 2025 study (VIPRE again) 58% of phishing sites used unidentifiable phishing kits, meaning they couldn’t easily be detected by signature‑based methods. The manufacturing sector was the top target (26%). (TMCnet)
Insight: Attackers are custom‑building or obfuscating their toolkits rather than relying on well‑known, easily flagged kits. This reduces detection by traditional gateways that rely on known‑bad lists.
Case Study 3 – AI‑Powered & Multi‑Modal Evasion
In an analysis of modern phishing, it was noted that cybercriminals embed HTML/JS in SVG image files, use encoded/invisible characters in URLs, split malicious content across attachments, and combine email with SMS/collaboration‑platform vectors. (Cyber Security News)
Insight: Traditional email security systems (spam filters, sandboxing) often assume attachments are standard (e.g., .doc, .xls) or links are plain; these new techniques exploit blind spots in detection logic.
Expert Commentary & Key Insights
- “Today’s cybersecurity threats are succeeding through creative, pinpointed, and strategic sophistication … they’re manipulating trusted platforms, layering evasion tactics into seamless attack chains.” — Usman Choudhary, GM at VIPRE. (PR Newswire)
- From Consult CRA: “Traditional cybersecurity tools struggle to keep up with AI‑powered phishing attacks … rule‑based systems can’t adapt to dynamic content, personalization makes each attack unique.” (ConsultCra)
- On domain‑spoofing and impersonation: attackers often use look‑alike domains, subdomain tricks, typosquatting and trusted third‑party services to make malicious emails appear legitimate. (Phish Def)
Implications:
- Email authentication alone (SPF/DKIM/DMARC) is necessary but not sufficient. Attackers often act from compromised or trusted sources.
- Defensive tools depending solely on sender reputation, attachment signatures or static rules are increasingly inadequate.
- Organizations must adopt layered, dynamic, intelligence‑driven defenses plus user awareness training.
- Monitoring of post‑delivery behaviour (clicks, link redirection, identity use) matters — detection must extend beyond the email gateway.
What Organisations Should Do
- Assume that some malicious email will reach the inbox; prepare to detect and respond, not just block.
- Implement advanced email security that includes machine‑learning, behavioural analytics, sandboxing with evasive‑technique awareness, and link/attachment unpacking.
- Ensure email authentication (SPF/DKIM/DMARC) is correctly configured, but also monitor for misuse of legitimate domains and sender services.
- Conduct regular security awareness training: show users how to identify during busy workflows, impersonations, unusual attachments/links, and multi‑step redirections.
- Establish incident response workflows for email threats: monitor “click statistics”, unusual login attempts after email contact, external communications that don’t follow normal process.
- Maintain visibility across channels: email, SMS, collaboration tools, web portals — attackers increasingly use multiple vectors.
- Here are detailed case studies and expert commentary illustrating how cyber‑criminals are adapting their techniques to evade traditional email‑security systems — and what this means for organisations.
Case Study 1 – SVG Files & AI‑Code Obfuscation
Overview:
According to the Microsoft Security Blog, a phishing campaign detected in August 2025 used an attachment named23mb‑PDF‑6 pages.svg(an SVG image file) that in fact contained obfuscated JavaScript and a credential‑phishing payload. (Microsoft)
Tactics:- Use of an .svg file (normally considered benign image) to deliver malicious code.
- The email appeared to originate from a compromised account, and the file leveraged JavaScript embedded in the SVG to hide its behaviour.
- The attackers also used self‑addressed email (sender = recipient) with the target BCC’d, making basic heuristics (like sender mismatch) less effective. (Microsoft)
Implications: - Traditional email filters may not flag image files like SVG as high risk; attackers exploit this blind‑spot.
- Embedding scripts in attachments rather than linking externally reduces reliance on blocked URLs, making detection harder.
Key lesson: Even seemingly innocuous attachments (images) can carry active payloads; defenders must inspect beyond obvious .exe/.zip.
Case Study 2 – Phishing‑as‑a‑Service (PhaaS) + Open‑Redirects + Custom Kits
Overview:
The Q2 2025 report by VIPRE Security Group revealed that 58 % of phishing sites used unidentifiable phishing kits (i.e., custom/obfuscated) and 54 % of campaigns used open‑redirect mechanisms via trusted domains (marketing services, email‑tracking platforms) to mask malicious links. (TMCnet)
Tactics:- Use of compromised or legitimate third‑party services to host or redirect malicious content (making domain‑reputation systems less effective).
- Custom‑built phishing kits avoid known‑signature blacklists or reverse‑engineering. (Security Today)
- Attackers focus on sector‑specific targets (e.g., 26 % of attacks targeted manufacturing firms in that quarter). (TMCnet)
Implications: - Defence systems relying on known kits or domain blacklists are increasingly ineffective.
- Highly‑targeted campaigns mean smaller volumes but higher success rates (especially if masquerading as trusted vendors or using context‑specific messaging).
Key lesson: Security systems must assume adaptive, custom campaigns; automated detection must cover behaviour, not just static signatures.
Case Study 3 – AI‑Driven Personalisation & Credential‑Harvesting
Overview:
In a global survey, only 46 % of adults could identify AI‑generated phishing emails correctly, and merely 30 % recognised a genuine email. This shows how convincingly phishing has become due to AI‑based writing and targeting. (New York Post)
Parallel to that, analyses show attackers are using generative‑AI to craft emails with internal language patterns, urgency cues, and business context. (acsmi.org)
Tactics:- Use of behavioural‑and‑language modelling to mimic internal communications.
- Targeting key individuals (C‑level, finance) by referencing recent company events, acquisitions or funding rounds. (acsmi.org)
Implications: - Human‑based defences (training, awareness) are under pressure; phishing no longer looks sloppy and generic.
- Traditional filters (looking for obvious errors or generic mass‑mail) may miss these high‑context, high‑credibility lures.
Key lesson: Organisations must recognise that phishing is increasingly strategic and richly contextual, not just volume‑based.
Expert Commentary & Strategic Insights
- As Usman Choudhary (VIPRE) puts it:
“It’s clear what the threat actors are doing – they are out‑smarting humans through hyper‑personalised phishing techniques using the full capability of AI and deploying at scale.” (TMCnet)
- From the above, the combined patterns show that traditional email‑security measures (static filters, reputation‑based blocking, signature databases) are increasingly insufficient.
- Therefore, email‑security strategy must shift from blocking known bad to detecting subtle anomalies, behaviour, context and dynamic tactics.
- Key controls: attachment inspection (including image and script containers), redirect/URL behavioural analysis, multi‑vector awareness (email + SMS + calendar invites), continuous threat‑intelligence.
Summary
Cyber‑criminals have significantly upgraded their playbook:
- Using innocuous file types (SVG) and layered attachments to bypass filters.
- Leveraging trusted services and open‑redirects to mask malicious intent.
- Employing tailor‑made phishing kits and generative AI to craft credible, contextual attacks.
As a result, organisations can no longer rely solely on legacy email‑security approaches. The case studies above show real‑world attacks leveraging these tactics. Defenders must embrace layered controls, advanced detection models (behavioural/ML), comprehensive training, and assume compromise is possible rather than improbable.