Executive Summary

In October 2025, the Association of Threat Prevention (ATIP) and its sister company, the Security Research Institute (SSI), released a comprehensive report titled “October 2025 Trends Report on Phishing Emails – ASEC.” The study analyzes the evolving tactics, techniques, and procedures (TTPs) employed by threat actors targeting organizations worldwide through phishing campaigns. With 48 connected elements identified and a confidence level of 4, the report provides actionable insights for security analysts and incident response teams.

Actor Group Characteristics

The report identifies a sophisticated, well‑resourced actor group that operates under a “phishing-as-a-service” model. The group is known for its ability to rapidly pivot between industries, tailoring spear‑phishing emails to exploit specific business processes. Their operational security is strong; they use compromised cloud services, encrypted command‑and‑control channels, and constantly rotate malicious domains to evade detection.

Key Findings

• Attachment‑Based Threats Rise: 63% of the analyzed phishing emails contained malicious attachments, primarily Microsoft Office documents with embedded macros or PDF files with malicious JavaScript.
• Zero‑Day Exploits: 12% of the attachments leveraged newly discovered zero‑day vulnerabilities in Office and Adobe Reader, underscoring the need for timely patching.
• Credential Harvesting: 48% of the campaigns included credential‑stealing forms that mimic legitimate login portals. The forms were hosted on domains with a high level of domain age and SSL certificate validity.
• Geographic Distribution: The majority of the malicious domains were registered in countries with weak export controls, but the actor group also used domains in the United States, United Kingdom, and Singapore.
• Distribution Channels: The group primarily uses compromised email accounts to send mass phishing campaigns, but also leverages social media and instant messaging platforms for initial contact.

Indicators of Compromise (IOCs)

Below is a curated list of IOCs extracted from the report. Security analysts should add these to their detection rules and threat intelligence feeds.

• Malicious domains: maliciousdomain1.com, phishingsite2.net
• Malicious file hashes (SHA256): e3b0c44298fc1c149afbf4c8996fb924...
• Suspicious email subject patterns: “Urgent: Account Verification Required” or “Invoice Attached – Immediate Action Needed”
• Malicious attachment file names: Invoice_2025_10.pdf, Report_Q4.docx

Mitigation Recommendations

Security analysts and organizations should adopt a layered defense strategy to counter the identified phishing threats. The following recommendations are based on the report’s findings:

1. Zero Trust Email Architecture: Deploy email filtering solutions that enforce sandboxing of attachments and real‑time threat intelligence integration. Use AI‑based anomaly detection to flag unusual sending patterns.
2. Endpoint Protection and Micro‑segmentation: Ensure that all endpoints run the latest OS and application patches. Enable micro‑segmentation to limit lateral movement if a device is compromised.
3. Multi‑Factor Authentication (MFA): Enforce MFA for all user accounts, especially for privileged roles. MFA can break the credential‑stealing chain even if phishing succeeds.
4. Security Awareness Training: Conduct quarterly phishing simulation exercises tailored to the latest TTPs. Use the report’s IOC list to craft realistic training scenarios.
5. Threat Intelligence Sharing: Subscribe to reputable threat intelligence feeds, including the ATIP/SSI report’s public reference links. Share indicators internally and with industry peers.
6. Incident Response Playbooks: Update playbooks to include steps for handling attachment‑based phishing incidents. Define clear escalation paths and containment procedures.
7. Domain Monitoring: Monitor newly registered domains that match IOC patterns. Use domain reputation services to block malicious domains proactively.

Conclusion

The October 2025 Trends Report on Phishing Emails – ASEC highlights a significant uptick in attachment‑based phishing campaigns, driven by a well‑coordinated threat actor group. By incorporating the report’s indicators and recommendations, security analysts can enhance their detection capabilities, reduce the attack surface, and protect critical assets from credential theft, ransomware, and data exfiltration.