![[The AI Show Episode 153]: OpenAI Releases o3-Pro, Disney Sues Midjourney, Altman: “Gentle Singularity” Is Here, AI and Jobs & News Sites Getting Crushed by AI Search](https://www.marketingaiinstitute.com/hubfs/ep%20153%20cover.png)
![GrandChase tier list of the best characters available [June 2025]](https://media.pocketgamer.com/artwork/na-33057-1637756796/grandchase-ios-android-3rd-anniversary.jpg?#)
_Brain_light_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![[Fixed] How to Recover Unsaved Word Document on Windows 10/11](https://www.pcworld.com/wp-content/uploads/2025/06/How-to-recover-unsaved-word-document-main.png?#)
![Apple Shares New Shot on iPhone Film: 'Big Man' [Video]](https://www.iclarified.com/images/news/97654/97654/97654-640.jpg)
![Apple Still Finalizing Key Parts of Its Foldable iPhone [Kuo]](https://www.iclarified.com/images/news/97655/97655/97655-640.jpg)
![Apple's F1 Camera Rig Revealed [Video]](https://www.iclarified.com/images/news/97651/97651/97651-640.jpg)
5 New Trends In Phishing Attacks On Businesses – Must Aware Threats
Phishing remains one of the most effective ways attackers infiltrate corporate environments. Today’s phishing campaigns are no longer just poorly written emails with obvious red flags. They’re sophisticated, well-disguised, and tailored to exploit trust in everyday tools your teams use. From fileless redirections to abuse of collaboration platforms like Notion, these new tactics are designed […] The post 5 New Trends In Phishing Attacks On Businesses – Must Aware Threats appeared first on Cyber Security News.
Phishing remains one of the most effective ways attackers infiltrate corporate environments. Today’s phishing campaigns are no longer just poorly written emails with obvious red flags.
They’re sophisticated, well-disguised, and tailored to exploit trust in everyday tools your teams use.
From fileless redirections to abuse of collaboration platforms like Notion, these new tactics are designed to bypass email gateways, evade traditional detection tools, and reach your employees where they’re most vulnerable.
Here are five emerging phishing techniques businesses should watch closely in 2025 and how you can detect them faster.
1. SVG Attachments That Look Harmless
One of the newest tricks in the phishing playbook: malicious SVG files. These lightweight vector images can be embedded with JavaScript and designed to look like icons or logos.
When opened, they often lead users to phishing portals or automatically redirect them to credential harvesting pages.
Because SVGs don’t always raise red flags during email filtering or antivirus scans, they’re a clever way to bypass traditional detection.
However, interactive sandboxes like ANY.RUN allow security teams to open SVG attachments in a safe, isolated environment and observe the full attack chain.
View analysis session with malicious SVG attachment
In the following analysis session, a phishing email contained an SVG attachment. Opening the SVG revealed a download link to a malicious PDF file.
Once downloaded and opened using a password provided in the email, the PDF dropped an AsyncRAT payload onto the system.
This kind of deep behavioural visibility is what makes sandboxes like ANY.RUN important for security teams: it replicates real-world user actions and exposes threats that static tools miss, helping you detect and understand attacks before they escalate into breaches.
Cut investigation time, improve detection accuracy, and give your team the visibility they need to stop phishing threats fast - -> Try ANY.RUN now 2. HTML Files That Act Like Legitimate Web Pages
Phishing actors are increasingly using HTML attachments to impersonate login portals, invoices, or legal documents.
These files open locally in the user’s browser, allowing them to bypass web filters and reputation-based detections, making them a stealthy choice for attackers.
In this ANY.RUN analysis session, we see exactly how this tactic plays out:
.webp)
The victim receives a PDF file posing as an official summons from the South African Judiciary.
Inside the PDF, there’s a call-to-action button labeled “PREVIEW YOUR SUMMON DOCUMENT HERE.”
Clicking it opens an embedded HTML file disguised as a Microsoft 365 login page; a fake form built to steal corporate email credentials.
These attacks don’t need a live malicious domain; they exploit user trust, file behavior, and urgency, often without ever touching a flagged IP or URL.
You can see how sandboxes like ANY.RUN give security teams the context they need, not just to see that an HTML file is suspicious, but to understand exactly how it tricks users and what it’s trying to steal.
That level of insight turns reactive alerts into informed action.
3. Redirect Chains That Adapt To The Victim
Some of the most dangerous phishing campaigns don’t rely on obvious lures or immediate traps.
Instead, they use conditional redirection; a stealthy technique where the phishing site decides in real time whether or not to expose its malicious content.
The idea is simple but effective: profile the visitor first and only serve the phishing payload if they meet certain criteria.
If not, send them somewhere completely harmless, like a brand-name website or a generic landing page.
This allows the phishing infrastructure to remain operational longer, avoid automated scanners, and reduce the risk of takedowns.
We saw this tactic in action during a recent Tycoon2FA phishing campaign:
The user visits a page like kempigd[.]com, which runs a fingerprinting script in the background.
It gathers system data, like browser type, screen resolution, time zone, and GPU details to determine whether the visitor fits the attacker’s target profile.
If there’s no match, the user is quietly redirected to a legitimate site (in this case, Tesla’s official website) to throw off suspicion.
View Tesla website rediraction in ANY.RUN
If the system fingerprint does match, the page redirects to a fake Microsoft 365 login portal built to steal corporate credentials.
View analysis with Microsoft phishing page
.webp)
With solutions like ANY.RUN’s interactive sandbox, it becomes easy to trace every stage of complex phishing attacks, from profiling scripts to final payload delivery.
Analysts can adjust VM settings like IP, language, and location to replicate the exact conditions attackers are targeting.
This level of control is especially valuable for SOC teams under pressure to respond fast.
Instead of spending hours trying to reproduce suspicious behavior, they get clear, immediate visibility into how the attack works; what’s triggered, what’s downloaded, and what happens next.
4. LinkedIn Website Spoofing
LinkedIn has become a key target in phishing campaigns not just because of its user base, but because of the trust it carries.
Attackers know that a LinkedIn login page doesn’t usually raise suspicion. That makes it the perfect disguise for credential theft.
In this analysis session, attackers created a pixel-perfect clone of LinkedIn’s login page and hosted it on a compromised Brazilian domain (megarapidaambiental[.]com[.]br).
View analysis session with spoofed LinkedIn page
At a glance, the page looks legitimate, even the “Continue with Microsoft” and “Sign in with Google” buttons are there, along with LinkedIn’s branding and prompts.
What gives it away is the URL, not the content. But most users won’t check that. And many automated systems won’t flag it, especially when the page is hosted on a low-reputation but clean-looking domain.
With sandboxes like ANY.RUN, security teams can safely explore and interact with these spoofed environments, inspecting network behavior, form submissions, and hidden scripts in real time.
5. Phishing Pages Hosted On Notion
Phishing doesn’t always rely on shady domains or poorly built pages. In fact, some of the most deceptive attacks are now hosted on legitimate platforms like Notion.
These services are designed for collaboration, not security, which makes them an ideal cover for threat actors looking to host malicious content without raising red flags.
In one ANY.RUN analysis session, a Notion-hosted page, written in Italian, was used to lure victims into clicking a link to a fake Microsoft OneNote login.
From there, credentials were harvested through a spoofed login form, while the victim’s IP address was silently collected and exfiltrated via a Telegram bot embedded in the phishing script.
After submission, the victim was redirected to the real OneNote login page to avoid suspicion.
With ANY.RUN’s interactive sandbox, SOC teams can safely interact with phishing flows hosted on trusted platforms, trace data exfiltration routes like Telegram bots, and collect real-time intelligence to improve detection and response workflows.
Stop Phishing Before It Turns Into A Breach
Phishing attacks aren’t just hiding in emails anymore. They’re embedded in trusted platforms, disguised as login pages, and triggered only when the conditions are just right.
ANY.RUN helps security teams move faster, respond smarter, and stay ahead of threats:
- Faster detection and triage thanks to real-time, behavior-based analysis
- Fewer false positives through full visibility into how phishing attacks unfold
- Stronger collaboration between analysts, threat hunters, and managers with shared sessions and reporting
- Better threat intel with IOCs, metadata, and full attack chains captured automatically
- Proactive response by uncovering evasive techniques that traditional tools miss
Start your 14-day trial and give your team the clarity and speed they need to stop phishing attacks before they spread.
The post 5 New Trends In Phishing Attacks On Businesses – Must Aware Threats appeared first on Cyber Security News.
