The End of the Typo Rule: Report Examines Normalization of Phishing

The Hoxhunt 2025 Cyber Threat Intelligence Report delivers a sobering message for security professionals: the most dangerous threats are no longer the most obvious ones. As 2026 approaches, enterprises are no longer fighting clumsy, error-riddled bulk spam; they are facing a quiet revolution where sophisticated, convincing attacks blend seamlessly into daily workflows, fueled by AI and advanced token-theft toolkits.

The report, based on millions of user-reported emails that bypassed existing filters, reveals that the primary challenge is no longer filtering for known bad—it's training people to question the seemingly "normal."

The threat landscape in 2025 was defined by quiet stealth and the normalization of deception. The report identifies some key tactical shifts and stats.

• The AI baseline: Attackers are using Generative AI to improve classic phishing techniques, resulting in cleaner language, flawless grammar, and convincing formatting. This fundamentally undermines the classic security advice to "look for typos."

• The SVG surge: Attackers have weaponized new file types to evade filters. Malicious SVG (Scalable Vector Graphics) attachments surged, growing 50-fold compared to 2024 volumes. Meanwhile, the once-popular malicious QR codes declined dramatically, appearing in less than 2% of malicious emails in H1 2025.

• The lateral phish: Attackers are increasingly abusing legitimate, trusted third-party services. The misuse of Salesforce tripled in volume in the first half of the year, rising from 0.6% in January to 1.8% in June 2025 of all domains used in phishing.

• Top senders: The free consumer webmail provider gmail.com accounted for 20% of sender domains in malicious emails that bypassed filters.

The report highlights three major strategic developments that security teams must address immediately.

1. The rise of token theft and AitM kits

The most critical technical trend is the increased adoption and commoditization of Adversary-in-the-Middle (AitM) phishing kits.

• These toolkits are now easier to deploy and capable of intercepting logins in real-time to capture session tokens in addition to passwords.

• This is a game-changer because AitM attacks are effective at circumventing traditional MFA (such as SMS or push-based codes). Identity protection can no longer rely solely on legacy MFA prompts.

"AitM kits have fundamentally changed the authentication threat model," said Pyry Avist, Co-Founder and CTO at Hoxhunt. "They harvest session tokens in real time, which means an attacker can bypass MFA. This is one of the clearest signs that attackers are shifting their focus from stealing passwords to hijacking identity itself."

2. Routine-workflow impersonation dominates

The most successful lures leverage trust and curiosity by mimicking routine business processes and trusted entities.

• Top impersonated entities: Microsoft, Human Resources (HR), and supply chain third parties

• High-yield lures: Attacks impersonating HR with themes like "salary increases" or "bonus distribution plans" proved highly effective by exploiting the recipient's curiosity and reward-seeking behavior.

• Voicemail phishing: Voicemail-themed Microsoft impersonations are a persistent and geographically-specific threat, appearing more commonly in North America.

"Deepfakes drew the most attention in 2025, but they represented a fraction of what actually reached people. When we analyze the threats that slip past filters, a very different picture usually emerges," said Mika Aalto, Co-Founder and CEO at Hoxhunt. "The real risk comes from attackers quietly improving familiar impersonations that map onto daily business routines."

Aalto added, "Deepfakes may evolve, but human intuition is older than any technology. The same instincts that once helped us sense danger in tall grass and murky water can help employees recognize when a digital interaction feels wrong and report even highly sophisticated attacks."

3. Attacks migrate beyond email

Social engineering is increasingly expanding beyond the email inbox and moving into social platforms and recruitment channels that shape professional identity. Threat actors are targeting platforms like Meta business accounts with fake recruitment or account suspension notices to monetize professional identities.

Looking toward 2026, the report's strategic guidance centers on two core mandates: token-centric technical controls and behavior-first human risk management.

Defenders must assume that attackers can bypass common filters and pivot their focus to session-level security:

• Prioritize phishing-resistant MFA: Accelerate the rollout of truly phishing-resistant MFA (e.g., FIDO2/Passkeys), especially for administrative and high-risk roles.

• Token-centric IR: Implement a token-centric incident response strategy: on detecting suspicious activity (e.g., post-login changes), revoke tokens first, and then reset credentials.

• Tighten controls: Focus on measures like binding tokens to devices, shortening session lifetimes, and adding hunts for anomalies like the same session ID from different IPs or a mid-session user agent pivot.

• Scrutinize third-party services: Introduce stricter mail flow analytics and extra scrutiny for often-misused domains like Salesforce and Docusign.

"Phishing evolved in 2025 through refinements to existing kits and tactics rather than through the deepfake disruption that we are preparing for," Avist said. "Generative AI removed many of the traditional indicators people were told to look for, and attachment formats like SVG became effective because they appear harmless while carrying active code. The landscape became more subtle and more engineered."

"We are seeing phishing expand beyond email into recruitment systems, social platforms and other places where identity and communication converge," Avist said. "Security controls need to follow that path. Protecting the inbox is no longer enough because the modern attack surface stretches across every channel where people interact.

The most critical takeaway is to stop teaching employees to look for mistakes and start training them to question the normal.

• Retire outdated advice: Drop the "look for typos" and "be wary of links" advice, as these classic cues have been eliminated by AI.

• Embed the "Pause → Verify → Act" culture: Emphasize a security culture that treats ordinary requests (HR updates, file shares) with the same caution previously reserved for high-urgency scams.

• Targeted training: Use the report's findings (HR impersonation, SVG/HTML attachments, file sharing baits) to drive realistic simulations. Personalize training content for roles, such as focusing on Meta credential traps for marketing teams.

Some additional key takeaways and data-driven highlights from the report:

• Social-media links in malicious emails increased by 600 percent since 2023, driven largely by compromised business email signatures that contain social media profiles.

• Abuse of Salesforce's mailing service increased threefold in six months, rising from 0.6 percent of malicious emails in January to 1.8 percent in June 2025.

• In Google environments, gmail.com accounted for 30 percent of malicious sender domains, almost twice that of outlook.com at 18 percent.

• In Microsoft environments, gmail.com accounted for 6 percent of malicious sender domains, triple that of outlook.com at 2 percent.

• SVG attachments saw a 50-fold increase in usage compared to 2024, making them one of the fastest-growing attachment types in phishing attacks.

• PDF files remained the top malicious attachment type at 23.7 percent, followed by HTML at 5.6 percent, SVG at 5.0 percent, Word documents at 4.4 percent, and EML files at 1.4 percent.

• Malicious HTML attachments dropped nearly half, declining from 10 percent of attachment-based attacks in 2024 to 5.6 percent in 2025.

• Malicious QR codes fell tenfold, from more than 20 percent of threats during their 2023 peak to less than 2 percent in the first half of 2025.

• AitM phishing kits standardized session-token theft in 2025, a development that significantly increased the likelihood that attackers could bypass MFA and gain persistent access.

• Recruitment-themed phishing delivered through Salesforce grew sharply, frequently used to compromise business social media accounts and professional identity platforms.

• Redirectors such as google.com/url and http://t.co were heavily abused, frequently masking malicious destinations behind trusted domains.

• Dropbox remained the most common platform for hosting malicious files, maintaining its position as a preferred delivery method for attackers.