Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

JUMPSEC have detected and tracked a new phishing attack campaign targeting numerous industrial sector organisations, predominately in engineering, construction, and energy sectors in the UK and US, where threat actors have consistently used a common and identifiable AITM (Adversary in the Middle) phishing kit throughout March 2025. At-risk organisations should take steps to reduce the risk of compromise as the infrastructure detailed below continues to be leveraged by threat actors.

99% of phishing emails that reached inboxes last year did not contain malware, according to a new report from Fortra. Attackers were much more successful using malicious links or purely response-based social engineering. Fortra explains, “Anti-malware scanning, sandboxing, and other pre-delivery security processes are increasingly common and make it more difficult for emails containing malware payloads to reach user inboxes.

Some people might call bossware employee-sponsored spyware. Check out this article to learn more about employee monitoring software. The internet is a great place — until someone tries to steal your login credentials, credit card details, or even your entire identity. Enter phishing: the cybercriminal’s favorite way to trick you into handing over personal information. If you think you’d never fall for a scam, think again.

A KnowBe4 Threat Lab Publication Authors: By James Dyer, Threat Intelligence Lead at KnowBe4 and Lucy Gee, Cybersecurity Threat Researcher at KnowBe4 On March 3, 2025, the KnowBe4 Threat Labs team observed a massive influx of phishing attacks originating from legitimate Microsoft domains. KnowBe4 Defend detected activity starting on February 24th, with a peak on March 3rd, when 7,000 attacks from microsoft-noreply@microsoft.com were recorded within a 30-minute window.

INKY has published its annual report on email security, finding that phishing accounted for 30% of all reported cybercrimes last year. “Phishing threats grew in both volume and sophistication, introducing new attack vectors like QR codes, cross-site scripting, and weaponized file types (e.g., RTF and DOT),” the report says. “Cybercriminals also increasingly exploited trusted services such as DocuSign and PayPal, underscoring the urgent need for adaptive, robust security solutions.”

The average amount of money requested in business email compromise (BEC) attacks spiked to $128,980 in the fourth quarter of 2024, according to the Anti-Phishing Working Group’s (APWG’s) latest report. This is nearly double the amount requested during Q3 2024. The researchers found that Gmail accounts were used to launch 81 percent of BEC scams last quarter. The report also warns of a surge in SMS phishing scams impersonating toll operators in the US, driven by a popular Chinese phishing kit.

In March 2025, several US federal agencies issued a joint warning on the phishing-based, ransomware-as-a-service (RaaS) threat group Medusa and are encouraging organizations to implement mitigations to reduce the likelihood of being impacted by an attack.

Phishing-as-a-service (PhaaS) platforms drove a surge in phishing attacks in the first two months of 2025, according to researchers at Barracuda. PhaaS platforms, which provide criminals with a ready-made kit for launching advanced phishing attacks, were responsible for more than a million attacks in January and February. Three PhaaS platforms accounted for nearly all of these attacks, with the Tycoon 2FA kit dominating the market.