Cybercriminals have been employing more advanced tactics to bypass email security filters and target unsuspecting employees, taking advantage of embedded images in phishing campaigns. According to Recorded Future’s LaTulip, these images are used to disguise malicious content or links, allowing cybercriminals to evade detection and increase their chances of success.
One concerning trend highlighted by KnowBe4 is the surge in phishing campaigns using Russian (.ru) top-level domains. The Threat Research team at KnowBe4 reported a 98% increase in these campaigns from December 2024 to January 2025, with a focus on credential harvesting. Some Russian .ru domains are associated with “bullet-proof” hosting providers, known for supporting malicious activities and ignoring abuse reports against their cybercriminal clients.
Furthermore, cybercriminals are leveraging AI-assisted toolsets on the dark web and hacker forums to supercharge their intelligence gathering capabilities. These tools can scrape social media posts, identify geolocations, and extract valuable information about organizations from various sources like LinkedIn, DNS records, and third-party service providers. By repurposing legitimate marketing tools, attackers can maximize the reach and effectiveness of their scams, including SEO hijacking and phishing attacks.
The professionalization of phishing attacks is evident in the rise of Phishing-as-a-Service (PhaaS) kits, which are expected to account for half of credential theft attacks in 2025. Cybersecurity vendor Barracuda predicts an increase from 30% in 2024 to 50% in 2025. These platforms offer subscription-based services that enable cybercriminals to steal multi-factor authentication codes, employ advanced evasion techniques, and store stolen credentials. PhaaS toolkits are distributed through Telegram, dark web forums, and underground marketplaces, with subscription costs starting from $350 per month.
One of the most widely-used PhaaS platforms, Tycoon 2FA, has been implicated in 89% of observed incidents by Barracuda. This platform utilizes encrypted scripts and invisible Unicode characters to evade detection, steal credentials, and exfiltrate data via Telegram. Another platform, Sneaky 2FA, specializes in adversary-in-the-middle attacks by exploiting Microsoft 365’s ‘autograb’ feature to pre-populate fake login pages, filter out non-targets, and bypass 2FA.
Overall, cybercriminals are continuously evolving their tactics and techniques to stay ahead of security measures and carry out successful phishing attacks. It is crucial for organizations to stay vigilant, implement robust cybersecurity measures, and educate employees to recognize and report phishing attempts to mitigate the risk of falling victim to such attacks.