July 2025 Trend Report on Phishing Emails
This report provides the distribution quantity, statistics, trends, and case information on phishing emails and email threats collected and analyzed for one month in July 2025. The following are some statistics and cases included in the original report.
1) Statistics of Phishing Email Threats
In July 2025, the most common type of threat among phishing email attachments was phishing (60%). Threat actors used scripts such as HTML to mimic the screen layout, logo, and font of login pages and promotional pages. Users are then prompted to enter their account credentials, which are then sent to the threat actor’s C2 server or used to redirect the victims to fake websites. This type of phishing also involves inserting hyperlinks into documents such as PDF files to redirect users to phishing websites created by threat actors.
Figure 1. Phishing email threat statistics
In addition, data on the distribution changes of samples by category over the past six months has been provided, reflecting the recent trends in threats posed by phishing emails. Furthermore, statistics on the extensions of attachments found in phishing emails have been included, allowing readers to understand the file formats used in these emails. These statistics and more can be found in the original ATIP report.
2) Distribution of Korean Emails
This section covers cases of phishing emails written in Korean, and provides the titles and file names of attachments from these samples. This information allows readers to identify the frequently used keywords in phishing email threats.
Figure 2. Some of the phishing emails in Korean
3) Analysis of Phishing Email Distribution Cases
Representative cases were analyzed according to the attachment format (Script, Document, Compress). Through this, users can check the phishing email attack cases that actually occurred this month. This month, not only phishing pages (FakePage) were distributed through Script attachments, but also malware exploiting the vulnerability (CVE-2017-11882) by executing the document file (exploit) was distributed via phishing emails. When the document file is executed, the vulnerability of the equation editor (EQNEDT32.EXE) (CVE-2017-11882) is exploited to execute Lokibot malware. Recently, there has been an increase in cases where a PE file (.exe) is compressed in a ZIP file and distributed via phishing emails. Additional information such as the C2 address, analysis information, and the body of the phishing email that distributed the malware can be found in the original ATIP report and ATIP Notes.
Figure 3. Malware distributed as an attachment in Document format
Figure 4. Malware distributed as an attachment in Compress format
This post reveals a part of the July 2025 Trends Report on Phishing Email. The original ATIP report contains additional content, including the recent distribution trends of phishing (FakePage) and malware, statistics on and distribution of attachments by extension, and analysis on actual phishing email attacks.
※ For more information, please refer to the attached file.
