Cybersecurity company Barracuda Networks published its 2025 Email Threats Report, detailing the state of email-based risks that face organizations, worldwide. The findings – which are based on Barracuda threat-detection data – highlight how attackers are shifting malicious links and content into attachments to evade security tool detection.
Barracuda cited advanced AI-based threat detection as “critical” for detecting these hidden threats.
The company noted that upwards of 20 percent of organizations experienced at least one attempted or successful account takeover (ATO) incident per month; typical access was gained through phishing, credential stuffing or exploiting weak/reused passwords. Once inside an account, attackers can steal sensitive data, moving laterally inside the organization while send phishing emails from a “trusted” source.
Findings included:
23 percent of HTML attachments being malicious, making them the most weaponized text file type, with over three-quarters of the malicious files detected being HTML files.
Malicious PDF attachments (68 percent) and malicious Microsoft documents (83 percent) contain QR codes designed to take users to phishing websites.
Bitcoin sextortion scams account for 12 percent of malicious PDF attachments.
47 percent of email domains do not have domain-based message authentication, reporting and conformance (DMARC) configured to protect against unauthorized use, including spoofing and impersonation attacks.
24 percent of incoming emails are now malicious or unwanted spam.
“Email remains the most common attack vector for cyberthreats because it provides an easy entry point into corporate networks,” said Olesia Klevchuk, product marketing director, email protection, Barracuda. “Malicious email attachments, QR codes and URLs are used by attackers to distribute malware, launch phishing campaigns and exploit vulnerabilities. Many organizations increase their risk level by failing to implement DMARC, making it possible for attackers to impersonate their brand and implement fraudulent attacks. Organizations need to mitigate the risks by implementing best practice industry standards and adopting a multi-layered approach to email security, leveraging AI-driven threat detection to spot attacks hidden in attachments and malicious websites.”
The report contains proprietary Barracuda research, gathered in February, that analyzed nearly 670 million malicious, spam or unwanted emails.
