A brief overview of phishing evolution
Flare’s report “The phishing kit economy “highlights that “today, the landscape is dominated by highly sophisticated phishing-as-a-service (PhaaS) platforms and reverse-proxy kits like EvilProxy, Typhoon, Tycoon 2FA, and others…
The data also explains why defenders are struggling. Modern kits increasingly revolve around AiTM and reverse-proxy capabilities that bypass OTP-based MFA, steal session cookies, and automate account takeover with minimal user suspicion.”
Sekoia’s recent research: “New widespread EvilToken kit: device code phishing as a service” shows how a powerful technique to steal credential and establish persistence is now “productised”. The phishing threat actor provides not only an easy way to compromise an account, but also an LLM assisted exploitation.
VMRay Malware & Phishing Threat Landscape Report – 2025/2 concluded“Email was still heavily abused, but it was increasingly combined with QR codes, fake CAPTCHAs, and long redirect chains designed to frustrate automated detection. ClickFix techniques stood out as a key trend.”
This report also observed: “archives and PDFs appear disproportionately in recursive chains because phishing emails routinely deliver either a link or an attachment each of which expands into further analysis. The practical implication is that a single phishing email rarely represents a single sample.
The full delivery chain, followed to its end, is where the actual threat lives.“
Hoxhunt analysed emails received in URP folder providing detailed insights on phishing emails bypassing common email security and reported:
- 43% of AI phishing emails use a malicious link
- 11% of AI phishing emails use a malicious attachment
Among attachments, pdf attachments are the most common with 24% in 2025, followed by html and svg files at around 5%.
Phishing‑kit actors are evolving quickly both with new techniques to evade defense and by providing easy to use Phishing as a Service to low skill actors.
What are the implications for security teams
Latest phishing techniques may be found in your URP folder
Security teams should leverage phishing alerts to learn about new attacks as attackers are likely to be persistent.
When new phishing techniques bypass the current email security, the SOC team still has a chance to detect them in their User Reported Phishing (URP) folder.
Follow the delivery chain to discover the threat
Attackers invest a lot of effort to prevent security team to understand their attack.
The simplest one is to keep the campaign active for a short time. As it often take many hours for Incident Responders to start an investigation, they need to block automated scanners and security systems to keep their real threat hidden.
VMRay Malware & Phishing Threat Landscape Report – 2025/2 Describes one of these complex chains, using CAPTCHA and VPN detection to evade security tools.
Anti-evasive sandbox using dynamic and recursive analysis such as VMRay are designed to follow the delivery chain and identify the actual threat.
Automate to catch the threat when the campaign is active
Due to the sheer volume of phishing alert and due to the need to perform a recursive analysis when the attack is active, automation is the only chance to catch the real threat.
It is important to distinguish blocking the start of the attack chain and understanding the real threat.
Blocking the start of an attack is obviously critical and most security tools focus on doing that at scale. Understanding the attack allows security teams to properly prioritize what to investigate and to preemptively block persistent attackers who will try various ways to deploy their payload.
In my testing, I often see vague alerts such as an URL being blocked as it is known as malicious. That gives no indication on the actual threat. But as VMRay integration automatically analyse suspicious files or URLs, it provides within minutes:
- Information on the actual threat e.g. an infostealer named Vidar
- The means to identify and block it such as the IOCs and extracted malware configuration
Therefore, Emails from URP folder should be submitted as soon as possible to a recursive and dynamic analysis to follow the attack chain, identify the severity of the attack and extract IOCs.
Examples showing the power of running a recursive analysis
To illustrate the value that recursive dynamic analysis brings to phishing triage, we will show below a few examples with Microsoft Defender for Office (MDO). These examples exploit typical attack vector such as pdf attachments including a QR code leading to a false login phishing page or to a malware download, or URLs leading to a ClickFix attack.
While Microsoft Defender for Office (MDO) does the heavy lifting checking all emails, VMRay analyzes only evidence coming from MDO alerts.
The testing methodology is straightforward:
- Recent threats are found from MalwareBazaar, URLhaus or ClickFix hunter.
- Email containing malicious attachment or URL are sent to a mailbox protected by MDO.
- If the email is detected as malicious, it is not delivered and an alert is raised. VMRay analyze the URLs found in the email.
- If the email is not detected, it is delivered and reported as phishing triggering an MDO alert. VMRay analyze the attachments and URL found in the email. Note: Defender provides many layers of defences. So even if a phishing email reaches the inbox, clicking on the URL may be blocked by Defender for Office, or downloading a malware from a URL may be blocked by Defender for Endpoints. In both case, VMRay integration also receive the alert and analyse the related URL.Let’s look at the value to dynamically analyse the emails in URP folder through a few examples:
Example 1: URL leading to a ClickFix attack attempting to drop a malicious version of Net Support.
An email reported as phishing included a URL, not known as malicious.
When VMRay analysed it, the AutoUI first click on a CAPTCHA to reveal a ClickFix attempt. That is clearly indicated in the Defender comment “Possible Pastejacking attempt” as visible in the screenshot captured.
