Phishing attacks in Q2 2025 exploit trust in internal emails

KnowBe4 has released its Q2 2025 Phishing Simulation Roundup report, showing that employees remain vulnerable to phishing emails that closely mimic internal communications and well-known brands.

Internal focus

The report draws on data from simulated phishing exercises conducted in mid-2025 using the KnowBe4 HRM+ platform. It shows that 98.4% of the top 10 most-clicked email templates had internal themes, with human resources referenced in 42.5% of phishing failures and IT topics in 21.5%.

Malicious emails that exploit trust by purporting to come from familiar sources are proving hard for employees to identify, with internal communication topics dominating the list of most successful phishing simulations.

Branded threats

KnowBe4's findings also indicate continued abuse of popular brands in social engineering attacks, with branded content present in 71.9% of malicious landing page interactions. Microsoft was featured in 26.7% of these interactions, followed by LinkedIn, X, Okta, and Amazon.

When it came to hyperlinks within emails, the vast majority (80.6%) of the top 20 most-clicked links originated from internally-themed simulations, and 68.2% used domain spoofing techniques to appear more convincing.

Attachment trends

The analysis showed a rise in the use of PDF files as phishing lures. PDF attachment clicks increased by 8.1% compared to the previous quarter, and PDFs made up 61.1% of the top 20 attachments. HTML files accounted for 20.9%, with Word documents making up the remaining 18.0%.

Consistency with previous quarter

The trends in Q2 2025 were largely consistent with those seen in Q1 2025, emphasising the persistent nature of social engineering tactics that rely on the exploitation of trust and familiarity.

Expert commentary

"One of the key takeaways from the Q2 Simulated Phishing Roundup is the critical role trust plays in cybersecurity. Whether that is trust in internal communications, familiar brands, or even known individuals, phishing emails that appear to originate from reputable sources will always have a higher chance of lowering a recipient's suspicions. We see this time and time again in real-word scenarios, where attackers use sophisticated social engineering tactics to take advantage of this fundamental human instinct, making it harder for employees to distinguish legitimate and malicious emails," said Erich Kron, Cybersecurity Advocate, KnowBe4. 

Kron also highlighted the importance of a comprehensive approach to reducing risk:

"The Q2 findings reinforce the need for organizations to strengthen their human defenses through a layered approach centered on human risk management. This includes employee empowerment through a combination of relevant, timely and adaptive security training and intelligent detection technology that can identify and mitigate threats in real time."

Human element in security

The Q2 2025 report points to a need for regular and adaptive security training for employees, alongside the deployment of detection technologies capable of recognising and halting phishing attempts. The data suggests that even as technical defenses improve, the human element remains a significant focus for attackers.