January 2026 Phishing Email Trends Report
This report provides the distribution quantity, statistics, trends, and case information on phishing emails and email threats collected and analyzed for one month in January 2026. The following are some statistics and cases included in the original report.
1) Phishing Email Threat Statistics
In January 2026, the most prevalent threat type among phishing email attachments was phishing (67%), where attackers replicated the layout, logos, and fonts of login pages and promotional pages using scripts such as HTML. This tactic entices users to enter their account credentials and passwords, which are then transmitted to the attacker’s C2 server or directs them to a fake site. This type of phishing not only utilizes scripts but also inserts hyperlinks in documents such as PDFs to lead users to phishing sites created by the attackers.
[Figure 1] Phishing Email Threat Statistics
In addition, data on the distribution changes of samples by category over the past six months has been provided, reflecting the recent trends in threats posed by phishing emails. Furthermore, statistics on the extensions of attachments found in phishing emails have been included, allowing readers to understand the file formats used in these emails. These statistics and more can be found in the original ATIP report.
2) Korean Email Distribution Status
This section categorizes cases that are written in Korean and partially discloses the subject and file name of attachments. This allows readers to identify the keyword information that frequently appears in phishing email threats.
[ Figure 2] Some of the Phishing Emails Distributed in Korean
3) Analysis of Phishing Email Distribution Cases
An analysis of representative cases was conducted based on the formats of attached files (Script, Document, Compress). Through this, actual phishing email attack cases that occurred this month can be identified. This month, not only phishing pages (FakePage) in the Script attachment format but also malware using EXE attachments, specifically the Remcos RAT, were disseminated via phishing emails. When the document file is executed, an RTF file exploiting the vulnerability of the equation editor (EQNEDT32.EXE) is run, ultimately executing the XLoader malware. Additionally, there has been an increase in cases where EXE files are compressed in RAR and distributed through phishing emails. Analysis information, including C2 addresses and the body of the phishing emails that disseminated the malware, can be found in the original ATIP report and ATIP Notes.
[Figure 3] Malware distributed via attachments in Compress format
[Figure 4] Malware distributed via attachments in Document format
This post has disclosed a part of the January 2026 Phishing Email Trend Report. The original ATIP report contains additional information, such as the recent distribution trends of phishing (FakePage) and malware, statistics on the distribution by attachment file extension, and analysis of actual phishing email attacks.
