April 2025 Trends Report on Phishing Emails
This report provides statistics, trends, and case details on the distribution volume and attachment threats of phishing emails collected and analyzed in April 2025. The following is a part of the statistics and cases included in the original report.
1) Phishing Email Threat Statistics
In March 2025, the most common type of threat among phishing email attachments was Phishing (79%). Threat actors used scripts such as HTML to mimic the screen layout, logo, and font of login pages and promotional pages. Users are then prompted to enter their account credentials, which are then sent to the threat actor’s C2 server or used to lure users into accessing fake websites. This type of phishing also involves threat actors inserting hyperlinks into documents such as PDF files to direct users to phishing websites.
Figure 1. Phishing email threat statistics
The statistics reflect the recent trends of threats posed by phishing emails by providing data on the distribution changes of samples in each category over the past six months. In addition, statistics on the extensions of attachments found in phishing emails allow users to identify the file formats used in such emails. Users can access these statistics and more in the original ATIP report.
2. Distribution of Korean Phishing Emails
This section classifies cases where phishing emails are written in Korean and partially discloses the subject and attachment file names of the samples. This allows users to identify the frequently appearing keyword information in phishing email threats.
Figure 2. Some of the phishing emails distributed in Korean
3. Case Study on Phishing Email Distribution
ASEC analyzed representative cases by attachment format (Script, Document, Compress) to identify the phishing email attacks that took place in April. Phishing emails were not only spreading fake pages through script attachments, but also through document attachments. Inside the document file, a hyperlink that redirects to a phishing page was hidden, prompting users to attempt to log in. Additionally, there had been an increase in cases where script files (.vbs) were compressed in 7z files and distributed via phishing emails. Readers can find additional information such as the C2 address, analysis details, and the body of the phishing email that distributed the malware in the original ATIP report.
Figure 3. Malware distributed as an attachment in Document format
Figure 4. Malware distributed as an attachment in Compress format
This post covered some of the content from the Trends report on Phishing Emails in April 2025. The full ATIP report includes additional information such as the recent distribution trends of phishing (FakePage) and malware, statistics on the distribution by attachment file extension, and analysis on actual phishing email attacks.
