Last year in October, phishing statistics show a tactical evolution with 40% of business-targeted phishing emails now AI-generated, producing perfectly personalized, grammatically flawless attacks that eliminate traditional detection markers. Attackers are weaponizing legitimate platforms: Figma for credential theft (49% linked to Storm-1747), fake Google Careers pages, and ClickUp redirect chains to bypass email filters and URL reputation checks. PDF-based QR code phishing has surged as the primary attack vector, replacing direct email QR codes to push victims toward mobile devices lacking enterprise security controls. The TyKit phishing kit demonstrates the new baseline: SVG-embedded obfuscated JavaScript, Cloudflare Turnstile CAPTCHA chains, and multi-stage verification pages designed to evade security bots, while revived calendar injection attacks add malicious events directly to corporate calendars, triggering phishing attempts through meeting reminders even when users ignore the original email. Most significantly, attackers shifted from attachments to links with 86% of malicious emails now using links versus the prior quarter's 78% attachment preference, with URL redirection (48%) and file-hosting service abuse (26%, up from just 6%) dominating delivery infrastructure, indicating adversaries are optimizing for speed, scale, and evasion over traditional malware-based compromise.
86% of malicious spam emails used links instead of attachments, a reversal from the prior quarter's 78% attachment rate, indicating a tactical shift in delivery methods. The most common malicious attachment types when used are ZIP (62%), DOCM/DOCX (16%), HTML (12%), and XLSX (10%). Attackers are weaponizing trust by abusing legitimate platforms, layering evasion with CAPTCHA and multi-stage redirects, and leveraging AI to eliminate traditional detection markers. The shift from attachments to links, combined with mobile-targeting via QR codes, shows attackers are optimizing for the weakest point in the chain—users on personal devices without enterprise controls.
Even the most seasoned cyber security vets have to really take a moment to analyze emails, texts, or calendar invites they are not expecting. A good rule to live by in the cyberverse is to have a zero trust mindset: if you aren't expecting it, treat it like the enemy that could cost you your identity or your company millions. I personally have discarded legitimate emails and texts due to new numbers being used or events I wasn't aware of. This is a move in the opposite direction I think is the best defense against today's ever evolving phishing sophistication - be hard to get a hold of because the people you actually know will know how to find you if you ignore them. And who legitimately sends you QR codes in pdfs anyway?…
We’ll see what 2026 has in store for us defenders concerning the latest and greatest adversaries have cooking. If this year is anything like 2025, I’m sure we’ll see as much innovation from threat actors as we see on our side. Let’s just hope the Blue Teams out there can keep up with them.