The October 2025 Trends Report on Phishing Emails reveals that Trojans remain the dominant malware type delivered via phishing email attachments, constituting 47% of observed cases. The report analyzes six months of data, showing shifts in threat distribution and attachment file types. Phishing emails commonly use script files, document files (often embedding OLE objects), and compressed archives (notably RAR files containing JavaScript). These attachments serve as vectors to deploy malware such as Remcos RAT, a remote access Trojan capable of extensive system control and data exfiltration. Document attachments frequently act as droppers, downloading additional malicious payloads post-execution. The rise in compressed JS files within RAR archives indicates adversaries’ efforts to evade detection by leveraging nested compression and scripting. The report also includes a focused examination of Korean phishing campaigns, detailing specific case names, email subjects, and attachment filenames, illustrating targeted social engineering approaches. The campaign employs multiple MITRE ATT&CK techniques including T1547 (persistence), T1071 (command and control communication), T1555 (credential access), T1059 (command execution), T1102 (data transfer), T1204 (user execution), T1566 (phishing), T1027 (obfuscated files), T1573 (encrypted channel), and T1132 (data encoding). While no known exploits in the wild are reported, the combination of social engineering, common file formats, and compression techniques increases the likelihood of successful compromise. The report provides actionable intelligence including file hashes for detection and highlights the evolving nature of phishing threats, emphasizing the need for enhanced email security and user awareness.

European organizations face significant risks from this phishing campaign due to the widespread use of email as a primary communication channel and the prevalence of Microsoft Office and Windows environments that support the exploited attachment types. Successful delivery and execution of Trojans like Remcos RAT can lead to unauthorized remote access, data theft, credential compromise, and lateral movement within networks, potentially impacting confidentiality, integrity, and availability of critical systems. The use of compressed JS files and document droppers complicates detection, increasing the chance of infection. Industries with high email dependency, such as finance, healthcare, government, and manufacturing, are particularly vulnerable. The campaign’s medium severity reflects moderate ease of exploitation combined with significant potential damage. Given the global nature of phishing and malware distribution, European entities with less mature email filtering or endpoint protection may experience higher impact. Additionally, the presence of Korean phishing campaigns suggests potential targeting of organizations with business ties to Asia, increasing risk for multinational companies. The evolving tactics also indicate a persistent threat landscape requiring continuous adaptation of defenses.

1. Implement advanced email filtering solutions capable of detecting and blocking malicious attachments, especially scripts, compressed archives (RAR), and documents with embedded OLE objects. 2. Deploy endpoint detection and response (EDR) tools with behavioral analysis to identify execution of suspicious scripts and payloads like Remcos RAT. 3. Enforce strict attachment handling policies, including sandboxing and detonation of attachments before delivery to end users. 4. Conduct targeted user awareness training emphasizing risks of opening unexpected attachments and recognizing phishing indicators, particularly for emails with compressed JS files or document downloaders. 5. Utilize multi-factor authentication (MFA) to mitigate credential theft impacts. 6. Regularly update and patch email clients, document readers, and operating systems to reduce exploitation of known vulnerabilities. 7. Monitor network traffic for anomalous command and control communications consistent with MITRE ATT&CK techniques T1071 and T1573. 8. Employ threat intelligence feeds to block known malicious hashes and domains associated with this campaign. 9. Implement strict execution policies for scripts and macros, disabling them by default unless explicitly required and verified. 10. Conduct regular phishing simulations to test and improve organizational resilience against such campaigns.