Roundtable | 2025 Annual Threat Report key insights

Introduction

Ben Baker: Hello everyone and welcome to today’s LinkedIn Live roundtable discussing our 2025 Annual Threat Report. This report follows our tradition of examining threat trends observed throughout the year. I’m joined by members of our Security Operations Center team who are on the front lines of detection and response.

For those unfamiliar with Expel, we’re a Managed Detection and Response (MDR) provider with a unique approach. We integrate with over 130 leading security tools that our customers already use, bringing that data into our proprietary platform called Expel Workbench. This creates a two-way mirror where our analysts operate in the platform and customers can log in to see exactly what our team sees in real time.

This visibility across different environments and tools allows us to identify trends in attacker behavior, which forms the basis of our threat report and today’s discussion.

The rise of phishing-as-a-service

Ben Baker: One of the biggest trends highlighted in our 2025 report is the rise of phishing-as-a-service. Aaron, can you explain what this is and how you were able to discover this trend within our data?

Aaron Walton: Phishing-as-a-service has been rising over the past year or two. Similar to legitimate cloud services like platform-as-a-service or infrastructure-as-a-service, phishing-as-a-service provides web panels that allow threat actors to easily run phishing campaigns without needing to set up their own infrastructure.

We’ve observed this trend contributing significantly to the overall volume of phishing incidents. When Microsoft deprecated certain forms of authentication, threat actors needed new ways to bypass MFA and adapt to enhanced security standards. Phishing-as-a-service platforms emerged as their solution, offering tools specifically designed to overcome these security measures.

Our unique position at Expel, observing data across multiple organizations and industries, allows us to identify consistencies in phishing emails and landing pages that can be traced back to specific phishing-as-a-service platforms.

Industry context: According to AAG IT Support, phishing remains the most common form of cybercrime with an estimated 3.4 billion spam emails sent daily. The 2025 Phishing Trends Report highlights that the volume of phishing attacks has skyrocketed by 4,151% since the advent of ChatGPT in 2022, showing how rapidly this threat vector is growing.

Myles Satterfield: What makes phishing-as-a-service particularly dangerous is the low barrier to entry. You don’t need your own infrastructure or technical expertise—the service provides everything needed to execute sophisticated phishing campaigns. They’re also continually improving their tactics, using methods like QR codes to evade endpoint detection, or tracking browser information and IP addresses to better replicate legitimate logins after stealing credentials.

Aaron Walton: An important point to add is that when a single attacker improves their technique or finds a new way to bypass security measures, they’re now enabling everyone using that platform to do the same. This allows for rapid operationalization of innovations across a broad spectrum of attackers.

Defending against modern phishing

Ben Baker: Many traditional security measures like MFA and email filters may not be sufficient against these evolving threats. Christine, if you could redesign an organization’s anti-phishing strategy from the ground up, what three elements would be essential?

Christine Billie: This is definitely challenging as the threat landscape evolves rapidly. My approach would focus on three strategic elements:

First, implement stronger MFA policies. Many people don’t realize that some forms of MFA are more secure than others. While SMS messages, push notifications, and email one-time pins are common, FIDO2 standard solutions like Yubikeys or biometric readers provide significantly stronger protection. These cryptographic login credentials tied to hardware devices are much harder to crack.

Second, focus on user awareness training that’s engaging and memorable. At a previous organization, we created a phishing simulation targeting employees’ interests—like tickets to the Wizarding World of Harry Potter—and when they clicked, their computer went into kiosk mode requiring them to complete cybersecurity awareness training. This approach had more impact than routine training videos.

Finally, deploy a combination of email security gateways and API-based protection to both filter spam upfront and retroactively remove malicious messages from inboxes.

Aaron Walton: It’s worth noting that our report looks at emails users submit after they’ve already passed through security gateways. This gives us valuable insight into what types of threats are evading existing protections, helping us better understand these evolving tactics.

The ClickFix malware threat

Ben Baker: Let’s discuss another significant trend from the report: the ClickFix malware delivery tactic. Aaron, can you explain what ClickFix is and why it’s concerning?

Aaron Walton: This attack technique has become so prolific that most people watching have likely encountered it. ClickFix typically appears on infected websites where a JavaScript module pops up claiming something is broken with your browser. It then instructs you to run specific key sequences or commands in PowerShell or the Windows Run program to “fix” the issue.

What makes this dangerous is that it bypasses the browser’s defenses against downloading malicious files. The commands typically load malware directly into memory without writing to disk, eliminating many opportunities for detection. We’re seeing numerous variations of this approach, from fake cookie consent buttons to dedicated websites claiming to offer image editing capabilities that require running these commands.

Threat intelligence context: According to Help Net Security, the ClickFix tactic has recently been adopted by nation-state actors, including North Korean APT Kimsuky. LogPoint reports that ClickFix has been used to distribute various malware families including DarkGate, Lumma Stealer, AsyncRAT, and other infostealers.

Christine Billie: From a defensive perspective, organizations should implement the principle of least privilege. If users don’t need to run PowerShell scripts or execute JavaScript code, don’t let them. Group policies can prevent the execution of many commands used in these attacks.

For user education, tailoring training to your employees’ interests and vulnerabilities is critical. Attackers are targeting what people care about, so security teams should use the same approach in their training—exploit interests to educate, just as attackers exploit interests to compromise.

Myles Satterfield: Looking at internal policies, organizations should consider disabling the Windows Run program if it’s not needed. Many of these malware attacks rely on specific Windows configurations that can be modified. Proper EDR policies are also crucial—ensuring they’re not just deployed but also configured for blocking. Traffic filtering at the gateway level can help block suspicious websites and pop-ups based on reputation.

Microsoft Teams phishing and email nombing

Ben Baker: The final topic I’d like to discuss is a spotlight from our report on Microsoft Teams phishing combined with email bombing. Aaron, what does this attack involve?

Aaron Walton: This tactic starts with attackers subscribing someone to receive a flood of spam emails. Once the target is overwhelmed and distressed by this “email bombing,” the attackers reach out via Microsoft Teams, often posing as IT support with usernames like “Help Desk.” They offer to help fix the spam problem.

To “assist,” they ask the target to run Microsoft Quick Assist, a legitimate remote access tool. Once connected, they’ll run a script that appears to fix the issue but actually installs remote access tools to maintain access after the session ends. Multiple ransomware actors are using this technique, and despite some groups being exposed, we continue to see this approach being actively used.

Industry context: According to Bleeping Computer, ransomware gangs are increasingly using email bombing followed by posing as tech support in Microsoft Teams. Sophos research identified two threat actors using this tactic, with links to Black Basta ransomware and possibly FIN7, targeting organizations through Microsoft 365.

Myles Satterfield: These tactics tend to cycle—they gain popularity, go quiet for a while, and then resurge. As security teams get better at detecting certain approaches, attackers modify their techniques or return to previously successful methods with new twists.

Looking ahead, I expect we’ll see more attacks leveraging popular technologies and trends. For example, as ads become more integrated into everyday applications and devices, attackers will likely exploit this familiar pattern. We’ve also observed a recent resurgence in using alternate data streams—files hidden inside other files—to deliver malware.

Christine Billie: One specific recommendation for Microsoft Teams is to check your default settings. By default, Teams allows messages and calls from all external Microsoft 365 organizations. This means users in your organization can be contacted by anyone using Teams in any other organization, which creates significant risk. IT administrators should review Microsoft Teams Help Center guidance and modify these settings to restrict external communications.

Aaron Walton: While it might seem burdensome to individually whitelist trusted organizations, the risk of not doing so is substantial. We’ve seen attackers research executives and send targeted messages about sensitive topics like layoffs to multiple employees, who are likely to interact with such messages. The effort to properly configure these settings pays off by preventing potentially devastating compromises.

Future predictions

Ben Baker: As we wrap up, I’d like to hear your predictions for cybersecurity trends in 2025.

Christine Billie: I believe generative AI will continue to lower the barrier to entry for threat actors. We’ve long had “script kiddies” who use pre-written scripts, but AI makes it much easier to customize and develop functionally malicious code. This is both concerning and interesting from a security professional’s perspective.

Myles Satterfield: I hope to see more organizations implementing threat emulation through red team exercises to test defenses against these tactics. For attackers, I expect we’ll see continued exploitation of human curiosity around emerging technologies, with more creative campaigns targeting new concepts before security teams can adapt.

Aaron Walton: People should anticipate more ClickFix-type attacks. The only thing likely to stop this technique is if browsers build in protections to prevent it from happening at all, which I don’t see happening soon. Security practitioners need to implement mitigations now, as this trend will continue to grow until the technique itself is completely eliminated.

Additional resources

• Learn more about Expel’s Security Operations Center (SOC) services
• Read the detailed 2025 Annual Threat Report
• Check out our blog post on Phishing in Microsoft Teams: The New Ransomware Frontline
• Watch our previous roundtable on Atlas Lion Threat actors and their cloud attacks
• Explore Expel’s blog for more security insights and research

External resources on phishing and malware threats

• AAG IT Support: The Latest Phishing Statistics
• HoxHunt: 2025 Phishing Trends Report
• Help Net Security: North Korean hackers using ClickFix tactic
• Bleeping Computer: Ransomware gangs pose as IT support in Microsoft Teams phishing attacks

This transcript has been edited for clarity and readability.

For more information about Expel’s services and threat research, visit expel.com/blog or follow us on LinkedIn.