November 2025 Trends Report on Phishing Emails
This report provides statistics, trends, and case information on the distribution volume, attachment threats, and other aspects of phishing emails collected and analyzed for one month in November 2025. The following are some of the statistics and cases included in the original report.
1) Statistics of Phishing Email Threats
In November 2025, the most prevalent threat type among phishing emails was phishing (78%). Threat actors used scripts such as HTML to mimic the screen layout, logos, and fonts of login pages and promotional pages, prompting users to enter their account credentials. The credentials are then sent to the threat actor’s C2 server, or users are redirected to a fake website. This type of phishing also involves inserting hyperlinks into documents such as PDF files, which redirect users to the threat actor’s phishing website.
Figure 1. Phishing email threat statistics
The data also reflects recent trends in threats posed by phishing emails by providing information on the distribution changes of samples in each category over the past six months. Additionally, statistics on the extensions of attachments found in phishing emails are included, allowing readers to gain an understanding of the file formats used in phishing emails. Readers can refer to the full ATIP report for more statistics that are not covered in this summary.
2) Distribution of Korean Emails
This section categorizes cases that are composed in Korean and partially discloses the subject and attachment file names of the samples. This information allows readers to identify frequently used keyword information in phishing email threats.
Figure 2. Some of the phishing emails distributed in Korean
3) Case Analysis of Phishing Email Distribution
Representative cases were analyzed according to the format of the attachments (script, document, compress). Through this, users can check the phishing email attack cases that actually occurred this month. In addition to phishing pages (FakePage) from script attachments, XLoader malware using document attachments was distributed through phishing emails this month. When the document file is executed, a C2 that downloads additional malware is present as an internal OLE object. After the malware is downloaded and executed, the XLoader malware is run. Furthermore, there is a growing trend of EXE files being compressed in RAR and being distributed through phishing emails. Additional information such as the C2 address and analysis information, and the body of the phishing email that distributed the malware can be found in the original ATIP report and ATIP Notes.
Figure 3. Malware distributed as an attachment in Document format
Figure 4. Malware distributed as an attachment in Compress format
This post shares some of the contents of the November 2025 Phishing Email Trends Report. The full ATIP report includes additional content such as the recent distribution trends of phishing (FakePage) and malware, statistics on the distribution of emails by attachment extension, and analysis information on actual phishing email attacks.
