2025年网络威胁情报报告

Table of Contents 01Executive Summary & Introduction Threat Landscape Overview 25 Human Risk Findings 28Campaigns, tooling andenvironments research 43 Strategic Guidance Executive Summary While AI-generated voice and video deepfakes dominatedheadlines and discussions in the cyber community in 2025,these attacks accounted for a fraction of the threats thatbypassed filters and actually reached employees. The vastmajority of attacks leveraged more traditional impersonationand deception techniques that have been updated to trickfilters and slide into new communication environments,including social media. underscore how professional identities — not just credentials— are being monetized. Phishing-resistant MFAremains vital, yet the rise ofadversary-in-the-middle toolkitscapable ofsession-tokentheft showsthat identity protection must evolve beyond traditional MFAprompts. Organizations can no longer rely solely on passwordsor SMS codes to maintain account integrity. Trusted routines, trusted brands Sometimes developments in the threat landscape wereenhanced by AI and sometimes not. Their effectivenesswas fueled by familiarity, not visibly slick deception andsophistication. The new generation of attacks imitatednormal business processes, credible brands, trusted tools andeveryday communication patterns. By blending into legitimate workflows, third parties, andinfrastructure, attackers achieve a false sense of trust. In2025, they changed their tactics and adopted some newtechnologies to do exactly that, but more effectively. This report reveals the quantity and quality of threats thatmatter most: the ones that bypass filters and affect realpeople. This intelligence will help you develop your trainingand manage your human risk more effectively. This report’sdata set is based on millions of user-reported emails thatbypassed filters in 2025. •Consumer webmail continues to dominate, withgmail.comaccounting for roughly one-fifth of allmalicious senders. •The misuse of legitimate serviceswas also prevalentthroughout the first half of the year, with, for example, themisuse ofSalesforce tripling — from 0.6% in Januaryto 1.8%, signaling increasing attacker preference forrecognized, trusted delivery paths that exploit bothtechnological and humanblind spots. 3 key developments •First,attackers are using AIto improve classic phishingtechniques with cleaner language, more convincingformatting and more believable workflow mimicry. •Attachment-based techniques diversified as maliciousSVGattachments surged, growing 50-fold compared to 2024,while maliciousQR codes--once a breakout trend--nowappear inless than two percent of malicious emails. •Second, adversary-in-the-middle (AitM) phishing kitshave become easier to deploy and are becoming morewidely adopted. These toolkits intercept logins in real time,forward the authentication to the legitimate service, andcapture session tokens in addition to passwords. AitMattacks can circumvent MFA. Updating Your Security Awareness andDefense Playbook Overall, the findings imply a steady shift towardstealth,automation, and token-based compromise. Defendersshouldassume that attackers can bypass common filtersand instead focus on detecting anomalies after login, bindingtokens to devices, and shortening session lifetimes. •Third, social engineering is increasingly expanding beyondemail environments and moving into social platforms,recruitment channels and other communication layersthat shape professional identity. Fluent phish: Flawless grammar, live chats andAitM toolkits The development of error-free phishing messagesreinforcesthe need for behavioral trainingthat teaches employeesto question routine, not just urgency and errors.Awarenessprogramsshould emphasizeroutine-looking luresoversensational ones, while technical teams implementtoken-centric incident response and phishing-resistant MFA.Finally, every organization should reinforce a “Pause→Verify→Act” culture that treats ordinary requests with the samecaution reserved for high-urgency scams. Generative AIraised thequality baselinefor phishingcontent. Many phishing emails are nowpolished andgrammatically perfect, undermining the classic “look fortypos” advice. Today’s threats might even read more fluentlythan legitimate correspondence. Recruitment and account suspension themed social-media account takeoversemerged with novel tactics tohijack Meta business accounts throughbrowser-in-the-browserandlive-chat techniques. These campaigns Together, these behavioral and technical safeguardstransform humans into an early warning system ratherthan an entry point. Since late 2024 threat actors have increasinglyabused Salesforce’s mailing service to send phishingemails from salesforce.com: its share of all domainsused in phishing rose from 0.6% in January 2025 to1.8% in June 2025 salesforce.com was often used to deliver recruitment-themed threats targeting business social media accounts Link shortener popularity Twitters