VIPRE’s latest email threat report [Q3 2025 Email Threat Landscape Report ] paints a picture of attackers who understand that the best place to hide is often in plain sight. Analysing 1.8 million messages during the third quarter, the company found that legitimate‑looking commercial emails — the kind of marketing clutter we all ignore — made up roughly 60 per cent of the total, up by a third compared with the same period last year. Buried in that flood of promotions and cold‑sales pitches, more than a third of all spam messages contained something harmful, whether a phishing link, a scam or malicious code. VIPRE warns that this deluge of routine mail is desensitising users: when inboxes are full of harmless promotions, it’s easier to miss the one that really matters.
Attackers continue to refresh their playbook. Many spin up brand‑new domains for phishing sites that disappear as soon as they are spotted; however, 80 per cent of phishing campaigns still rely on hijacked links or open redirect services. Most credential‑harvesting attempts target Outlook and Gmail accounts, which together account for 90 per cent of the observed attacks. The report notes a shift to more technically sophisticated data‑exfiltration methods: about one‑third of phishing campaigns used the Fetch API — a web interface designed for legitimate data transfer — to send stolen credentials, while fewer than ten per cent used the older POST method. Some groups also abused Apple’s TestFlight beta‑app distribution system to deliver malicious iOS apps, bypassing the usual App Store checks.
The geographic spread of spam highlights why simple blocklists don’t work. More than 60 per cent of unwanted messages originated in the United States, with smaller but still significant volumes coming from Hong Kong (9 per cent) and the UK (6 per cent). The senders themselves often appear legitimate: about a third of campaigns used compromised business email accounts, and almost as many were sent from free webmail services like Gmail, Yahoo or ProtonMail. Attackers also hijacked the good reputations of bulk‑mailing platforms such as SendGrid, Mailgun and Amazon SES, either by signing up with fake details or by breaching customer accounts.
Usman Choudhary, VIPRE’s general manager, summed up the challenge by noting that criminals are “manipulating trusted platforms, layering evasion tactics into seamless attack chains”. As defences improve, the report argues, attackers will continue to blend into ordinary traffic and misuse legitimate services. Staying safe will require not just better filters but also broader awareness of how threats hide in everyday communication.
