Email phishing attacks have reached a critical inflection point in 2025, as threat actors deploy increasingly sophisticated evasion techniques to circumvent traditional security infrastructure and user defenses.

The threat landscape continues to evolve with the revival and refinement of established tactics that were once considered outdated, combined with novel delivery mechanisms that exploit gaps in both automated scanning and human vigilance.

Security researchers have documented a marked increase in phishing campaigns that leverage PDF attachments as a primary attack vector, representing a significant shift from conventional hyperlink-based phishing.

Instead of embedding direct phishing links within email bodies, attackers now employ QR codes embedded within PDF documents, a technique that serves dual purposes: evading email filter detection while simultaneously encouraging users to scan codes on mobile devices that typically lack the robust security safeguards present on workstations.

Securelist analysts and researchers noted that PDF-based attacks have evolved further to incorporate encryption and password protection mechanisms.

The passwords may be included within the email itself or transmitted through separate communications, deliberately complicating rapid file scanning by security systems.

From a psychological perspective, this approach lends an air of legitimacy to the malicious communications, mimicking enterprise security protocols and consequently inspiring greater user trust in the fraudulent messages.

Beyond PDF-based attacks, threat actors have reinvigorated calendar-based phishing campaigns that had largely disappeared after 2019.

These attacks function by inserting phishing links within calendar appointment descriptions rather than email bodies, exploiting the fact that calendar applications send reminder notifications that often bypass initial security review processes.

This technique has been particularly effective in targeting business-to-business environments and office workers in 2025.

Advanced Detection Evasion and Multi-Factor Authentication Bypass

The sophistication of phishing infrastructure has reached unprecedented levels, with attackers implementing multi-layered verification systems designed to evade security bots and automated threat detection.

One prominent technique involves deploying CAPTCHA verification chains that repeatedly challenge users to prove their humanity before accessing credential harvesting forms.

These mechanisms serve to frustrate automated analysis while maintaining accessibility for legitimate users.

Researchers identified particularly sophisticated attacks targeting cloud storage services, where malicious pages interact with legitimate APIs in real-time.

These advanced phishing sites relay user credentials to authentic services, creating dynamic verification processes that mirror legitimate authentication flows perfectly.

When users enter credentials on phishing pages, the site communicates directly with the real service, providing genuine error messages and multi-factor authentication prompts.

This approach allows attackers to harvest both passwords and one-time authentication codes, effectively bypassing modern security protections.

The credential harvesting mechanisms themselves have become remarkably convincing, with attackers creating pixel-perfect replicas of legitimate login interfaces, complete with identical branding, default folders, and system imagery.

Once victims have been compromised, attackers gain full account access with minimal detection risk. Organizations must implement comprehensive security training programs while deploying enterprise-grade email filtering solutions capable of detecting these evolving attack methodologies.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Advancing Email Phishing Attacks to Bypass Security Filters appeared first on Cyber Security News.

Remcos, a commercial remote access tool marketed as legitimate surveillance software, has become the leading infostealer in malware campaigns during the third quarter of 2025, accounting for approximately 11 percent of detected cases.

In a notable shift from traditional deployment methods, threat actors are now weaponizing this remote control and surveillance platform through sophisticated fileless attack chains that successfully evade endpoint detection and response systems.

The malware’s primary motivation centers on credential theft through opportunistic targeted attacks, with particular focus on the financial sector, though recent evidence suggests attackers have compromised legitimate websites to host additional malicious payloads supporting the broader operation.

The attack begins deceptively with users receiving emails containing seemingly innocent business attachments. A file named “EFEMMAK TURKEY INQUIRY ORDER NR 09162025.gz” initiates the infection chain.

Once extracted, this archive deploys a batch file into the Windows temporary directory, which subsequently executes a heavily obfuscated PowerShell script employing custom string de-obfuscation functions named “Lotusblo” and “Garrots.”

CyberProof analysts identified the PowerShell script initiating hidden processes while configuring web requests to use TLS 1.2 and custom User-Agent strings for legitimate-appearing network traffic.

The script constructs a target file path at C:\Users\\AppData\Roaming\Hereni.Gen and enters a continuous download loop, attempting to retrieve files from a malicious C2 domain every four seconds.

Upon successful download, the script Base64 decodes and GZip decompresses the retrieved payload before executing it through Invoke-Expression, enabling dynamic command execution while leaving no traces on disk.

Process Injection and Detection Evasion

The sophisticated technique deployed by attackers involves leveraging msiexec.exe, a legitimate Windows installer executable, to perform process injection into RmClient.exe, a Microsoft-distributed file.

This fileless approach proves effective against traditional EDR solutions because RmClient.exe carries legitimate digital signatures, causing many detection systems to overlook the injected Remcos payload.

Once injected, the malware immediately begins accessing browser credential stores, targeting key4.db, logins.json, and Login Data files containing saved passwords and sensitive authentication information.

Network communications from the compromised RmClient.exe process directed to command-and-control servers at ablelifepurelife.ydns.eu and icebergtbilisi.ge on non-standard ports like 57864 and 50807 reveal the attacker’s infrastructure.

The malware demonstrates persistence through multiple RmClient.exe instances spawning with random parameters stored in the temporary directory, multiplying detection complexity and enabling the threat actor to maintain long-term access for subsequent, more destructive operations.

Organizations must enhance detection capabilities to identify process injection patterns and monitor unusual credential access activities, particularly when involving legitimate system binaries.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Fileless Remcos Attacks Bypassing EDRs Malicious Code into RMClient appeared first on Cyber Security News.