August 2025 Trends Report on Phishing Emails
This report provides the distribution quantity, statistics, trends, and case information on phishing emails and attachments collected and analyzed over the course of a month in August 2025. The following are some statistics and cases included in the original report.
1) Statistics of Phishing Email Threats
In August 2025, the most common type of threat among phishing email attachments was phishing (63%). Threat actors used scripts such as HTML to mimic the screen layout, logo, and font of legitimate login pages and promotional pages. Users are then prompted to enter their account credentials, which are then sent to the threat actor’s C2 server or used to redirect the victims to fake websites. This type of phishing also involves inserting hyperlinks into documents such as PDF files to redirect users to phishing websites created by threat actors.
Figure 1. Phishing email threat statistics
This section also reflects the recent trends of threats posed by phishing emails by providing data on the distribution changes of samples in each category over the last six months. Additionally, statistics on the extensions of attachments found in phishing emails are included, allowing readers to identify the file formats used in phishing emails. Readers can refer to the original ATIP report to access other statistics not covered in this summary.
2) Distribution of Korean Emails
This section covers cases of phishing emails written in Korean, and provides the titles and file names of attachments from these samples. This information allows readers to identify the frequently used keywords in phishing email threats.
Figure 2. Some of the phishing emails in Korean
3) Analysis of Phishing Email Distribution Cases
Representative cases were analyzed according to the attachment format (Script, Document, Compress). Through this, users can check the phishing email attack cases that actually occurred in August. In addition to phishing pages (FakePage) from Script attachments, but also malware exploiting the vulnerability by executing the document file (exploit) was distributed via phishing emails. When the document file is executed, the Purecrypter malware is executed through the Equation Editor EQNEDT32.EXE vulnerability (CVE-2017-11882). The cases of PE files (.exe) being compressed in ZIP and distributed through phishing emails are also increasing. Additional information such as the C2 address, analysis information, and the body of the phishing email that distributed the malware can be found in the original ATIP report and ATIP Notes.
Figure 3. Malware distributed as an attachment in Document format
Figure 4. Malware distributed as an attachment in Compress format
This post reveals a part of the August 2025 Trends Report on Phishing Email. The original ATIP report contains additional content, including the recent distribution trends of phishing (FakePage) and malware, statistics on and distribution of attachments by extension, and analysis on actual phishing email attacks.
