Kaspersky: Malicious email attacks up 15% in 2025

Global email security firm Kaspersky has recorded a significant rise in email-borne threats in 2025, with over 144 million malicious and potentially unwanted email attachments detected — a 15% increase from the previous year.

The surge comes amid a broader spam problem. Kaspersky telemetry shows that nearly one in every two emails globally — 44.99% of all email traffic — was classified as spam in 2025. Spam encompasses not only unsolicited commercial messages but also scam emails, phishing campaigns, and malware delivery.

The Asia-Pacific region registered the largest share of email antivirus detections at 30%, followed by Europe at 21%. Latin America accounted for 16%, the Middle East for 15%, Russia and the Commonwealth of Independent States (CIS) for 12%, and Africa for 6%.

Among individual countries, China recorded the highest rate of malicious and potentially unwanted email attachments, capturing 14% of all email antivirus detections. Russia followed with 11%, while Mexico and Spain each accounted for 8%, and Turkey for 5%.

Detection volumes peaked during June, July, and November 2025.

Kaspersky’s annual threat landscape analysis identified four persistent trends expected to continue into 2026.

Attackers are increasingly combining multiple communication channels, luring email users into switching to messaging applications or calling fraudulent phone numbers. In some cases, scam investment emails redirect victims to fake websites where they are prompted to submit their contact details, after which cybercriminals follow up with a phone call.

Evasion techniques are growing more sophisticated. Threat actors are routinely disguising phishing URLs using link protection services and QR codes. These QR codes are often embedded directly in email bodies or within PDF attachments — concealing phishing links while encouraging recipients to scan them on mobile devices, where security measures tend to be weaker than on corporate computers.

Cybercriminals are also exploiting legitimate platforms to carry out their schemes. Kaspersky researchers uncovered a fraudulent tactic that abuses OpenAI’s organization creation and team invitation features to send spam from verified OpenAI email addresses, potentially tricking users into clicking scam links or calling fraudulent phone numbers. A calendar-based phishing scheme, first seen in the late 2010s, also resurfaced in 2025 with a renewed focus on corporate users.

Business email compromise (BEC) tactics have also been refined. In 2025, attackers incorporated fake forwarded emails into their correspondence to appear more credible. These fabricated emails lacked thread-index headers or other authentication markers, making it difficult for recipients to verify their legitimacy within an email thread.

Roman Dedenok, an anti-spam expert at Kaspersky, emphasized the gravity of the threat in a statement accompanying the report.

“Email phishing shouldn’t be underestimated. Our report reveals that one in ten business attacks starts with phishing, with a significant proportion being Advanced Persistent Threats (APTs). In 2025, we saw an increase in the sophistication of targeted email attacks. Even the smallest details are meticulously crafted in these malicious campaigns, including the composition of sender addresses and the tailoring of content to real corporate events and processes. The commodification of generative AI has significantly amplified this threat, enabling attackers to craft convincing, personalized phishing messages at scale with minimal effort, automatically adapting tone, language and context to specific targets,” Dedenok said.

The findings underscore the evolving and increasingly AI-assisted nature of email threats, with generative tools now enabling attackers to scale personalized campaigns at minimal cost.

To mitigate risks, Kaspersky recommends treating unsolicited invitations from any platform with suspicion, even if they appear to originate from trusted sources. Users are advised to inspect URLs carefully before clicking, and to avoid calling any phone numbers listed in suspicious emails, instead sourcing contact details directly from the official websites of the relevant services.

For organizations, Kaspersky recommends deploying its Security for Mail Server solution, which uses multi-layered defenses powered by machine learning algorithms. The company also advises ensuring that all employee devices — including smartphones — carry robust security software, and conducting regular staff training on current phishing tactics.

Kaspersky’s full report on the spam and phishing threat landscape is available at securelist.com.