Estimated reading time: 5 minutes
Email: The Modern Business Lifeline Under Siege
From handwritten letters to telegrams and fax machines, business communication has always relied on trust and speed. Email revolutionized that; it is instant, global, and indispensable. But with that dependence comes danger: more than a third of all spam emails are designed to harm, according to VIPRE Security Group’s Q3 2025 Email Threat Report.
VIPRE analyzed 1.8 billion emails in Q3 2025, identifying 234 million spam messages, of which 26 million were malicious, a 13% increase from last year. Attackers aren’t just relying on sophisticated code anymore. They’re exploiting ordinary communication habits, making their malicious messages look like routine correspondence.
“Today’s cybersecurity threats are succeeding through creative, pinpointed, and strategic sophistication,” says Usman Choudhary, General Manager, VIPRE Security Group. “They’re manipulating trusted platforms, layering evasion tactics into seamless attack chains, and using commercial spam as cover for their operations.
Commercial Clutter Becomes Cyber Cover
The report found that 60% of all spam emails were “commercial,” such as cold outreach or marketing promotions. That’s a 34% year-on-year rise. Phishing accounted for 23% and scams 10%. “This flood of routine commercial clutter desensitizes users,” VIPRE warned, “making malicious emails blend seamlessly into the noise.”
Cold outreach accounted for 72% of commercial spam. At the same time, list bombing, where attackers flood inboxes with mass sign-ups to bury legitimate alerts, rose to 16%. VIPRE called list bombing “a DDoS for the brain.” It’s chaos that hides real threats, from account takeovers to financial fraud.
VIPRE’s findings show that phishing remains the dominant threat in the landscape. Credential harvesting is the ultimate goal, and Fetch API—a modern JavaScript interface—was used in one-third of phishing campaigns to exfiltrate stolen credentials, outpacing older POST-based methods.
Most phishing attempts used open redirects (80%) rather than newly registered domains (20%). Attackers hijack legitimate URLs, making their links appear safe. Microsoft, McAfee, and PayPal were the most spoofed brands this quarter, showing how attackers exploit trust in global tech giants.
Even file types tell a story: PDF attachments accounted for three out of four malicious files, chosen for their familiarity and perceived legitimacy.
BEC: Business Email Compromise Remains the Top Threat
Business Email Compromise (BEC) accounted for 51% of all malicious emails, with most (63%) using impersonation tactics rather than technical exploits. CEOs remain the top impersonation target, followed by directors, HR staff, and finance officers. (EDITORIAL NOTE: This plays on the power of hierarchy, the instinct to “jump” when the boss comes calling. Does your cybersecurity training call this out?)
Attackers increasingly move conversations to encrypted or personal messaging apps like WhatsApp, sidestepping monitored email systems. And language matters: English dominated at 83% of all BEC messages, reflecting its global business reach.
Worryingly, 57% of BEC messages were AI-written, showing cybercriminals are now using automation to scale deception faster than ever.
Malware and the Apple TestFlight Exploit
While phishing and BEC dominate, malware-laden spam—known as malspam—remains a potent threat. In Q3 2025, all malspam used links rather than attachments to deliver payloads.
Attackers have turned Apple’s legitimate TestFlight beta app platform into a malware distribution channel. “TestFlight’s trust and convenience make it the perfect Trojan horse,” VIPRE said. Victims received fake invitations to test apps from trusted brands like Meta, unknowingly installing trojans that stole biometric data and banking credentials.
Two Minute Watch – AI And Cybercrime Via Your Inbox – Cyber Insurance News Podcast
Geography: Where Spam and Threats Hide
The U.S. remains the top source of spam at 60%, followed by Hong Kong (9%) and Great Britain (6%). VIPRE attributes this to the density of U.S.-based data centers. “Attackers rent or compromise servers in trusted geographies to piggyback on their reputation,” the report noted.
Blocking by IP geography, VIPRE warned, is “unwise at best,” since legitimate business traffic often comes from the same regions as attacks.
Top Targeted Industries
The Manufacturing sector (25%) remains the most attacked, followed by Financial services (21%), Healthcare (11%), and Retail (9%). Critical infrastructure sectors like Utilities (5%) and Education (5%) also appeared on the list. VIPRE highlighted that attackers “aren’t limiting themselves—they’re opportunists at heart.”
The Final Say: The BEC Battlefield Evolves
VIPRE’s conclusion is blunt: the email threat landscape is defined by strategic sophistication, not technical complexity. Attackers now combine multiple low-tech tactics into advanced attack chains:
- Trusted URLs masking compromised landing pages
- Commercial spam hiding phishing attempts
- Legitimate cloud platforms delivering malware
“The question isn’t whether defenses work today,” said Usman Choudhary, VIPRE’s General Manager. “It’s whether they can adapt fast enough for tomorrow.”
Get The Cyber Insurance Upload Delivered
Subscribe to our newsletter!
Email Threats in Plain English
Think of your email inbox as your front door. The friendly delivery driver (your newsletter) shows up daily—but among them, one is a thief wearing a uniform. VIPRE’s report says one in three “deliveries” is dangerous.
Like an old city gate that once kept out raiders but now faces drones and catapults, traditional email filters are outdated. Attackers exploit trust, familiarity, and the sheer noise and volume of commerce. As Sun Tzu might put it, “In the midst of chaos, there is also opportunity.” That comes from The Art of War. For cybercriminals, this battlefield and opportunity lives in your inbox.
Related Cyber Liability Insurance Reports
