Phishing in 2025
The Boss Battle We Keep Replaying — and How to Finally Level Up
Ever feel like we’re stuck in a Shonen loop where the villain “evolves” every arc? Phishing is that recurring boss. Just when we stack new defenses, it comes back with a mask change: QR codes, OAuth consent prompts, MFA-bypass kits, deepfake voice calls. If you’ve ever hovered over a shortened link while your pulse spiked like Tanjiro spotting a Blood Demon Art, you know the vibe.
Why phishing still works in 2025
Humans are still the critical path. Attackers don’t need 0-days when urgency, authority, and novelty still move people. Payroll changes, shipping updates, contract renewals — the classics still land because they target business process friction points.
MFA isn’t a silver bullet. Adversary-in-the-middle (AiTM) phishing kits intercept session cookies and replay them, bypassing MFA after the victim “successfully” signs in. That’s why you’ll see spikes in short-lived account takeovers even where MFA exists.
SaaS and OAuth are the new supply chain. Instead of stealing passwords, attackers push users to consent to malicious OAuth apps. You “approve access” once, and the app can read mail, exfiltrate files, or silently pivot. This is increasingly common against Microsoft 365 and Google Workspace tenants.
QR codes (quishing) are mainstream. They bypass link scanners, and on mobile the URL bar UX still hides key parts of domain names. Office posters with malicious QR stickers are real-world attack surfaces.
BEC keeps paying. Business email compromise (BEC) remains one of the most financially damaging attack types because it exploits trust and process gaps, not just tech. Reply-chain hijacking, vendor impersonation, and invoice tampering continue to hit revenue directly.
What the latest reports are saying
Across industry reporting in 2025, a few themes are consistent: phishing volume remains high, BEC continues to be costly, SaaS-brand impersonation is pervasive, and QR-based lures are no longer niche. Training and strong authentication help, but attacker tooling and social engineering adapt quickly. If you want to go deep on the data, these analyses are worth a read: APWG’s Q2 2025 Phishing Activity Trends Report; perspectives from KnowBe4, Hoxhunt, and StationX on training outcomes and evolving lures; and roundups of technique shifts by AAG IT, TechMagic, and Deepstrike.
Anatomy of a modern phish (and how to spot it)
Pretext: Authority + urgency + familiar process. “Final notice: DocuSign pending,” “Updated payroll form,” “Escalation from CFO.” Attackers mirror your real workflows.
Delivery:
HTML attachments with obfuscated JavaScript (launches embedded phishing page).
QR code PNGs that lead to AiTM sites.
Reply-chain insertion after a mailbox compromise — takes your guard down.
OAuth consent links that look legit and use the real Microsoft/Google consent screen.
Evasion:
Link shorteners, open redirects (e.g., legitimate domains used as a trampoline).
Fresh domains with good reputation, or hijacked aged domains.
Geofenced payloads and time bombs (content only appears to specific IPs or windows).
CAPTCHAs to block scanners.
Practical defenses you can deploy this week
Lock in email authentication
SPF, DKIM, DMARC alignment
SPF (DNS TXT): v=spf1 include:_spf.yourmailprovider.com include:sendgrid.net -all
DKIM: Generate keys with your mail provider; publish as: default._domainkey.example.com IN TXT “v=DKIM1; k=rsa; p=MIIBI…”
DMARC (start with monitor, then enforce): _dmarc.example.com IN TXT “v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-forensics@example.com; fo=1; adkim=s; aspf=s”
Move from p=none to p=quarantine/reject with staged rollouts. BIMI can add brand signals once DMARC is aligned.
Harden OAuth and SaaS
Require admin consent for high-privilege scopes; block user consent to risky scopes by default.
Enable app consent workflows with justifications and reviewer approval.
Continuously review enterprise apps: remove unused apps, alert on new privileged consents.
Prefer device-bound tokens (token binding / continuous access evaluation where supported).
Monitor “impossible travel,” anomalous OAuth app creation, and atypical mailbox rules.
Make AiTM and session theft harder
Prefer phishing-resistant MFA: FIDO2 security keys or passkeys with origin binding.
Conditional Access: block legacy/basic auth, require compliant devices for sensitive apps.
Shorten session lifetimes for high-risk apps; enable sign-in frequency and re-auth on risky events.
Upgrade your mail filtering stack
Open-source options:
Rspamd + Redis + ClamAV; or SpamAssassin for rule-based detection.
Feed intel from OpenPhish, PhishTank, and your MISP instance to your MTA.
Example: Rspamd local rule for HTML attachments calling remote JS
local.d/multimap.conf: phishing_js_externals { type = “regexp”; filter = “body”; regexp = “script src=|window\.location|atob\(”; description = “Suspicious external JS in HTML”; score = 3.0; }
Add ARC, DNSBLs, and URL rewrites with user warnings for external links.
Push safe browsing habits that actually work
Hover or long-press to preview real domains; beware homographs and subdomain bait (login.example.com.attacker.tld).
Open unknown links in an isolated browser profile or disposable VM session (devs: containers help!).
Treat QR codes like unknown URLs — verify source, preview destination, prefer manual navigation.
Make reporting stupidly easy
Add a “Report Phish” button to mail clients that forwards with full headers to your SOC.
Measure “time to report” as a key metric. Celebrate fast reporting, not just non-clicking.
Have a BEC playbook ready
Immediate steps:
Invalidate sessions, rotate creds, audit inbox rules/forwarding.
Check OAuth consents and revoke malicious apps.
Freeze vendor payouts; out-of-band verify any banking changes.
Hunt for secondary compromises (reply-chain victims, finance distro lists).
Security implications worth calling out
Deepfakes meet BEC: Voice cloning raises the stakes for “urgent CEO call” pretexts. Always enforce out-of-band verification for money movement, regardless of caller voice.
Calendar and chat are in scope: Malicious .ics invites can embed links; Teams/Slack apps can request dangerous scopes. Apply the same consent governance you use for email-integrated apps.
Supply-chain interlocks: If a vendor gets popped, reply-chain phishing will look legit. DMARC reduces spoofing but doesn’t help if the adversary is sending from a real but compromised vendor inbox. Build vendor verification rituals and secondary controls for payment changes.
Data exfil “by design”: OAuth consents can turn into durable backdoors that survive password resets and MFA re-enrollment. Always review and revoke app grants after an incident.
Program metrics that matter
Report rate and time-to-report: Leading indicators that culture is working.
Phish resilience: Ratio of report-to-click per campaign sophistication tier.
Control coverage: Percent of users on FIDO2/passkeys; DMARC alignment rate; OAuth risky scopes blocked by policy.
Incident containment time: From detection to session revocation and consent cleanup.
Community angle: we’re stronger together
Contribute IOCs to MISP and share anonymized lures with peers.
Submit samples to PhishTank/OpenPhish to improve community detection.
Report scams to national CERTs and APWG to help the wider ecosystem.
Advocate for passkeys and FIDO2 at your org — each deployment shrinks attacker ROI.
If you only do three things this quarter
Turn on admin-only consent for high-privilege OAuth scopes; review existing enterprise apps.
Move DMARC from p=none to p=quarantine/reject with proper monitoring.
Pilot FIDO2/passkeys with finance, HR, and exec assistants — the highest BEC targets.
Final thought
Phishing isn’t a tech problem or a human problem — it’s both. Think layered defenses, assume clever social engineering, and keep iterating. Like any good anime squad, your stack needs balanced roles: strong auth (the tank), smart filtering (the scout), fast IR (the healer), and a community-fed intel loop (the strategist).