Mimecast, a global cybersecurity leader redefining how organisations secure human risk, today published its 2025 Global Threat Intelligence Report, examining threat activity in 2025.
According to the report, threat actors are pivoting their tactics to approach human touchpoints from every angle – inside business flows and across channels – to deploy coordinated campaigns that overwhelm traditional defenses.
The data reveals key trends, including the rise of smarter, AI-powered phishing and social engineering attacks, and threat groups increasingly using trusted services to evade detection and reach targets.
In fact, Mimecast analysis found that phishing accounts for 77% of all attacks up from 60% in 2024 with attackers likely leveraging more AI tools.
“We’re seeing a clear evolution in attacker behavior in 2025, headlined by an exponential rise in AI-driven threats,” said Ranjan Singh, Mimecast Chief Product & Technology Officer.
“Financial platforms, regulatory agencies, and city governments have all been targeted by profit-driven ransomware groups and highly organised, state-sponsored adversaries,”
“Threat actors are doubling down on human-focused attacks and exploiting trusted business services as their primary means of intrusion, making employee awareness and resilient systems more essential than ever.”
AI-Enhanced Deception: Smarter Phishing and Social Engineering
This human-focused approach begins with sophisticated deception tactics. Generative AI is giving threat actors more power to create the perfect lure, impersonating vendors, partners, and employees.
They are now able to craft convincing email chains, synthetic voices, and audio messages that can bypass detection tools.
Mimecast research reports a significant increase in social engineering attacks, including schemes like ClickFix, AI-augmented phishing, and business email compromise (BEC).
These attacks are becoming increasingly sophisticated, with attackers leveraging automated conversation chains to create the illusion of legitimate communication in phishing emails, often impersonating senior executives and using urgent language.
Mimecast’s Threat Research Team recently identified a large-scale BEC invoice fraud campaign targeting global organisations, in which attackers used AI-generated email content, urging payment requests to exploit business processes.
ClickFix schemes in particular – where attackers use fake error messages or verification prompts to trick users into copying and running malicious commands on their own devices – increased more than 500% in the first six months of the year, accounting for nearly 8% of reported attacks.
Exploiting Trust: Attackers Weaponise Everyday Business Tools
Building on these AI-enhanced deception techniques, attackers are simultaneously exploiting the trusted business tools employees use daily.
The trend of living off the land continues to evolve, with attackers increasingly living off trusted services (LOTS).
They are finding new ways to exploit essential platforms like Adobe Pay, DocuSign, and Salesforce within their attack chains – with virtual meeting room and hosting service DocSendbecoming the most abused service in 2025.
Central to this trust exploitation strategy, threat actors are also using legitimate and custom CAPTCHA services to both better trick victims and slow threat intelligence analysts’ ability to detect attacks.
Thousands of unique malicious CAPTCHA-protected URLs are detected each month, with more than 900,000 detections of Scattered Spider using this technique in the U.S. and UK.
AI further empowers attackers to craft highly convincing phishing messages to support delivery via these tools, blurring the line between legitimate business activity and malicious behavior.
Multichannel Attacks: Attackers Evade Detection
Completing this three-pronged strategy targeting human vulnerability, attackers are now coordinating across multiple communication channels to evade detection.
To bypass organisational defenses that monitor unusual network and IT activity, attackers are increasingly shifting across communication channels.
For example, phishing emails may now include phone numbers for victims to call, which reduces visibility and makes attacks harder to detect.
This tactic has been observed in high-profile incidents, including executive impersonation and IT support scams. AI-generated voices and deepfake technology are amplifying the effectiveness of these multichannel attacks, making them even more convincing and difficult to defend against.
Industry-Specific Threats: Attackers Target High-Value Sectors with Tailored Tactics
Many of these attacks are targeting certain industries based on the nature of their operations and the value of their assets.
Professional Education, IT Software, Telecommunications, Real Estate, and Legal organizations experience a higher volume of impersonation attacks, as these sectors often have direct access to high-value targets, handle sensitive financial transactions, and manage confidential client information.
Notably, real estate professionals were hit with substantially more phishing attacks than workers in other industries, underscoring the sector’s growing exposure to social engineering threats.
The Mimecast Threat Research Team also recently uncovered a phishing campaign targeting hospitality industry professionals.
Attackers used fraudulent email impersonation and large-scale credential harvesting targeting trusted hotel management platforms like Expedia and Cloudbeds.
As cybercriminals continue to adapt their tactics to exploit sector-specific vulnerabilities, organizations across all industries must prioritise proactive threat detection, employee awareness, and layered defense strategies to stay ahead of evolving attacks.
“Cyber defense can no longer be treated solely as a technology issue,” said Mimecast Chief Information Security Officer, Leslie Nielsen. “It’s equally about people and organisational resilience.
“Since last year, cybercriminals have significantly increased their use of trusted services to bypass technical defenses that might otherwise block attacks,”
“Countering these threats requires organisations to adapt by preparing employees to recognise suspicious activity and leveraging tools like AI internally to enhance both business workflows and security operations,”
“As threat actors continue to target the human layer through deception, trust exploitation, and multichannel coordination, building awareness and resilient response capabilities becomes critical.” said Nielsen
