Malicious URLs overtake email attachments as the biggest malware threat
With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
There's been a sharp rise in the number of phishing and URL-based attacks over the last year, with malicious URLs now being used four-times as often as attachments in email threats.
Malicious links are embedded in messages, buttons, and even within attachments like PDFs or Word documents to entice clicks that initiate credential phishing or malware downloads.
According to a new report from Proofpoint, researchers observed around 3.7 billion URL-based threats over a six month period, highlighting the growing scale of the problem.
Only 8.3 million of these threats were intended to deliver malware, however, with the most frequently-observed payloads in URL-based campaigns being remote monitoring and management (RMM) tools and remote access software (RAS).
These attacks are getting increasingly difficult for users to identify, Proofpoint noted, with cyber criminals now using advanced social engineering techniques and AI-generated content to create their malicious URLs.
Not only are they impersonating trusted brands, but also abusing legitimate services, tricking users with fake error prompts and bypassing traditional security by embedding threats in QR codes and SMS messages.
"URL-based phishing threats are no longer confined to the inbox, they can be carried out anywhere and are often extremely difficult for people to identify,” said Selena Larson, senior threat intelligence analyst at Proofpoint.
New techniques are paying off for hackers
Some of the URL-based credential phishing campaigns with the highest volumes in the past 12 months have been facilitated by off-the-shelf 'phish kits' like CoGUI and Darcula.
CoGUI is primarily used by Chinese-speaking threat actors, according to Proofpoint. These high-volume campaigns typically include message counts ranging from the hundreds of thousands to tens of millions at a time, and are mainly used to steal personal details such as credit card numbers.
Meanwhile, ClickFix malware campaigns - a phishing technique that lures users into running malicious code by displaying fake error messages or CAPTCHA screens - are up by nearly 400% year-over-year.
Malware operators are exploiting the urge to resolve a perceived technical issue, helping them spread remote access trojans (RATs), infostealers and loaders.
QR code and smishing threats are rising
Proofpoint also identified more than 4.2 million QR code phishing threats in the first half of 2025 alone. In these cases, the main aim of attackers is credential phishing, with 3.7 billion URL-based attacks aimed at stealing logins.
With phishing lures that impersonate trusted brands and use off-the-shelf tools such as CoGUI and Darcula phish kits, Proofpoint said even low-skilled actors can deploy highly convincing campaigns that bypass multi-factor authentication (MFA) and lead to full account takeover.
The number of smishing campaigns rocketed by 2,534%, as attackers shift their focus to mobile devices - at least 55% of suspected SMS-based phishing messages analyzed by the firm contained malicious URLs, often mimicking government communications or delivery services.
“From QR codes in emails and fake CAPTCHA pages to mobile-first smishing scams, attackers are weaponizing trusted platforms and familiar experiences to exploit human psychology," said Larson.
"Defending against these threats requires multi-layered, AI-powered detection and a human-centric security strategy.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
What businesses need to know about the update to Cyber EssentialsIn-depth Cyber Essentials was updated this April – what are the key changes?
-
Two US nationals sentenced for role in prolific fake worker laptop farmsNews The Americans were raising money for the North Korean regime by allowing fake IT workers to appear as legitimate US-based employees
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees
-
‘The inbox is no longer the only frontline’: Phishing attacks are evolving as cyber criminals ramp up ‘multi-channel’ campaigns over email and Microsoft TeamsNews New research shows threat actors are ramping up “multi-channel” phishing attacks by combining lures via email and Microsoft Teams
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victims
News A fake interview process uses coding tests and repo downloads to deliver malware
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businesses
News Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
Zephyr Energy hackers swiped £700,000 after redirecting a contractor paymentNews Payment to a Zephyr Energy contractor was siphoned off, but the incident has been contained and new security measures implemented
-
‘The build pipeline is becoming the new frontline’: Axios npm compromise highlights growing software supply chain risks, experts warnNews Cyber criminals exploited a hijacked maintainer account to compromise one of the world's most widely used JavaScript libraries
-
'AI-generated phishing became the baseline' for hackers last year – Kaseya warns it's going to get worse in 2026News Forget looking for typos and bad grammar, phishing campaigns are using AI to boost their attack success
