June 2025 Trends Report on Phishing Emails
This report provides the distribution quantity, statistics, trends, and case information on phishing emails and email threats collected and analyzed for one month in June 2025. The following are some statistics and cases included in the original report.
1) Statistics on Attachment Threats in June 2025
In June 2025, the most prevalent threat type among phishing email attachments was Phishing (66%). This is the type where threat actors use HTML and other scripts to mimic login pages, advertising page layouts, logos, and fonts to create deceptive pages that can lure users into entering their account credentials. Subsequently, the threat actors transmit this information to their C2 server or lead users to fake sites. This type of phishing attack not only uses scripts but also includes hyperlinks in documents like PDFs to trick users into visiting phishing sites created by threat actors.
The second most common threat type is Trojan (22%). This malware tricks users into executing it by using double extensions or filenames with legitimate names.
The third most common threat type is malware that downloads additional malware from C2 (Downloader, 12%), followed by security vulnerability exploits (Exploit, 1%), with CVE-2017-11882 being a prominent example.
Compared to last month, the percentage of phishing malware significantly decreased from 72% to 66% this month. The proportion and volume have also decreased significantly. Overall, it has been confirmed that phishing threats were distributed less compared to the previous month. This is also seen in the statistics under [Trend in Phishing (FakePage) Distribution Volume].
Figure 1. Statistics on attachment threats
In addition, data on the distribution changes of samples by category over the past six months has been provided, reflecting the recent trends in threats posed by phishing emails. Furthermore, statistics on the extensions of attachments found in phishing emails have been included, allowing readers to understand the file formats used in these emails. These statistics and more can be found in the original ATIP report.
2) List of Phishing Emails Distributed in Korean
This section covers cases of phishing emails written in Korean, and provides the titles and file names of attachments from these samples. This information allows readers to identify the frequently used keywords in phishing email threats.
Figure 2. Some of the phishing emails distributed in Korean
3) Phishing Email Distribution Cases
Representative cases were analyzed according to the format of the attachments (Script, Document, Compress). Through this, users can check the phishing email attack cases that actually occurred this month. In addition to the phishing page (FakePage) type of malware distributed through Script attachments, another type of malware that uses Document attachments to distribute phishing pages (FakePage) was distributed through phishing emails this month. When the document file is opened, a hyperlink is provided, and clicking on the image that says “VIEW HERE” leads users to the phishing page. Furthermore, there is a growing trend of executable (PE) files being compressed in ZIP format and distributed through phishing emails. Additional information such as the C2 address, analysis details, and the body of the phishing email that distributed the malware can be found in the original ATIP report and ATIP Notes.
Figure 3. Malware distributed as an attachment file in Document format
Figure 4. Malware distributed as an attachment in Compress format
This post reveals a part of the June 2025 Phishing Email Trend Report. The original ATIP report provides additional content, including the recent distribution trends of phishing (FakePage) and malware, statistics and distribution volume by attachment file extension, and analysis of actual phishing email attacks. For more information, please refer to the attachment.
