Summary: Mimecast’s 2025 Threat Intelligence Report

Your email gateway caught the phishing attempt. Your endpoint protection blocked the malware. Your firewall stopped the intrusion. And yet, your finance team just wired $180,000 to a fraudulent account after receiving a legitimate-looking DocuSign request followed by a convincing phone call from someone claiming to be your CFO.

Welcome to 2025, where the most dangerous threats don't break through your defenses; they walk right past them using tools you already trust and voices that sound eerily familiar.

The data tells a different story

Between January and September 2025, Mimecast analyzed more than 24 trillion data points across nearly 43,000 customers, flagging over 9.13 billion threats. What we found should concern every security leader: attackers have fundamentally changed their approach, and traditional security controls are struggling to keep pace.

Phishing now accounts for 77% of all attacks, up from 60% in 2024. But these aren't the clumsy phishing attempts of years past. ClickFix attacks — where users are tricked into running malicious commands — surged 500% in just six months. Business email compromise campaigns now feature AI-generated conversation chains that perfectly mimic your vendors and executives, complete with appropriate terminology and realistic urgency. Attackers routinely abuse DocuSign, SharePoint, PayPal, and SendGrid because these services bypass your security controls by design.

We detected more than 2 million malicious SVG files using social engineering lures, and over 900,000 instances where attackers used CAPTCHAs to block security researchers from analyzing their infrastructure. The uncomfortable truth: exploiting trust works better than exploiting code and cybercriminals have industrialized the process.

What makes 2025 different

Cybercriminals have professionalized their operations in ways that fundamentally challenge traditional defense models. They're combining email with phone calls and video conferences to create multi-channel attacks that feel authentic and bypass email security entirely. During these conversations, they use real-time persuasion to answer questions and overcome skepticism, techniques that AI-generated voices and deepfake technology make increasingly convincing.

They're weaponizing legitimate remote management tools that your IT team uses daily such as ScreenConnect, TeamViewer, and AnyDesk to gain persistent access without triggering security alerts. They're hiding malicious code in image files and using legitimate business services as attack infrastructure, making detection extraordinarily challenging.

And they're getting increasingly sector specific. Our industry analysis reveals that attackers don't just target organizations. They target entire sectors with specialized playbooks designed around industry workflows. For example:

• Real estate companies face disproportionate phishing attacks driven by high-value wire transfers.
• Manufacturing encounters more malware targeting intellectual property.
• Professional education deals with persistent impersonation attacks. 

These aren't random; they're calculated operations that exploit sector-specific vulnerabilities.

What you'll find in the full report

Our 2025 Global Threat Intelligence Report goes beyond identifying threats to provide security teams with intelligence they can act on immediately:

• Threat actor profiles tracking the most prolific operations targeting organizations globally, including Scattered Spider's sophisticated social engineering campaigns, UAC-0050's information warfare operations, and emerging financially motivated groups exploiting trusted notification services. Each profile details their tactics, infrastructure preferences, targeted sectors, and behavioral patterns — with direct links to indicators of compromise and technical analysis for immediate threat hunting and detection tuning.
• Industry-specific threat analysis revealing which attack types hit your sector hardest and why. Understand what makes your industry attractive to specific threat actors, where your blind spots exist, and how to prioritize defenses where they matter most for your organization.
• Technical deep dives into living off trusted services (LOTS), collaboration platform threats, novel obfuscation methods, and the systematic abuse of notification services. Each section includes real campaign examples, attack chain analysis, and technical indicators your team can use to strengthen detection capabilities.
• Practical recommendations for every major threat category. We don't just identify problems. We provide specific, actionable steps security teams can implement to harden business environments, from establishing multi-channel verification protocols for BEC attacks to deploying controls for collaboration platforms that balance security with productivity.
• Vulnerability intelligence analyzing the top exploited vulnerabilities by age, severity, and actual exploitation rates. Learn which vulnerabilities attackers actively weaponize versus which ones generate noise, helping your team focus remediation efforts where they'll have the greatest impact.

The bottom line

The 2025 threats demand a fundamental shift from reactive security measures to proactive human risk management. Technical controls remain essential, but they're no longer sufficient when attackers route operations through the very services your business depends on and target the people who use them.

Organizations that understand current attacker methodology, train employees to recognize sophisticated social engineering, and implement verification processes for high-risk transactions will be far better positioned than those still fighting yesterday's threats with yesterday's playbook.

The complete report provides the threat intelligence, technical analysis, and defense strategies your security team needs to adapt to this evolving landscape.

Download the 2025 Global Threat Intelligence Report to access comprehensive threat actor profiles with IOCs, industry-specific threat analysis, technical indicators, and actionable defense strategies that address how attackers actually operate in 2025.