May 2025 Trends Report on Phishing Emails
This report provides statistics, trends, and case details on the distribution volume and attachment threats of phishing emails collected and analyzed in May 2025. The following is a part of the statistics and cases included in the original report.
1) Phishing Email Threat Statistics
In May 2025, the most prevalent type of threat among phishing email attachments was phishing (72%). Threat actors used scripts such as HTML to mimic the screen layout, logo, and font of login pages and advertising pages. Users are prompted to enter their account credentials, which are then sent to the threat actor’s C2 server, or they are redirected to a fake website. This type of phishing also involves inserting hyperlinks into documents such as PDFs to redirect users to the threat actor’s phishing website.
Figure 1. Phishing email threat statistics
In addition, the data on the distribution change of samples by category in the past six months is reflected, showing the recent trends in threats posed by phishing emails. The statistics on file extensions used in attachments to phishing emails are also provided, allowing readers to identify the file formats used in phishing emails. Readers can refer to the original ATIP report to view more statistics not covered in this summary.
2) Distribution of Korean Emails
This section categorizes cases that are written in Korean and partially discloses the subject and file name of attachments. This allows readers to identify the keyword information that frequently appears in phishing email threats.
Figure 2. Some of the phishing emails distributed in Korean
3) Case Study on Phishing Email Distribution
ASEC analyzed the major cases of phishing email attacks that occurred in May according to the format of the attachments (Script, Document, Compress). Through this, users can check the phishing email attack cases that actually occurred this month. In addition to the phishing page (FakePage) using a script attachment, this month saw the distribution of malware through phishing emails that exploited the vulnerability of document attachments. When the document file is executed, the equation editor (EQNEDT32.EXE) vulnerability (CVE-2017-11882) is exploited to run the Lokibot malware. Furthermore, there has been an increase in cases where PE files (.exe) are compressed in ZIP and distributed as phishing emails. Additional information such as the analysis information and the body of the phishing email that distributed the malware, including the C2 address, can be found in the original ATIP report and ATIP Notes.
Figure 3. Malware distributed as an attachment in document format
Figure 4. Malware distributed as an attachment in Compress format
This post has shared a portion of the May 2025 Trend Report on Phishing Email. The original ATIP report contains additional information, such as the recent distribution trends of phishing (FakePage) and malware, statistics and distribution by attachment file extension, and analysis of actual phishing email attacks.
※ For more information, please refer to the attached file.
