Email continues to be the #1-way cybercriminals target businesses, and the attacks are getting smarter.
While many business leaders assume their spam filters are doing the job, the latest findings from Barracuda’s 2025 Email Threats Report show that default settings and basic filtering no longer cut it. These threats aren’t just landing in your personal inbox. They’re slipping into business email accounts too, often without anyone noticing.
What’s Really Hitting Your Inbox?
According to Barracuda, 1 in every 4 email messages is malicious or unwanted.
That includes spam, phishing attempts, malware, and scams designed to steal credentials or infect systems.
With the average employee receiving dozens (if not hundreds) of emails per day, chances are high that at least one risky message is getting through.
And once it does, email is one of the easiest ways for a cybercriminal to sneak into your business.
What Kind of Email Attachments Should You Be Worried About?
Barracuda’s data breaks it down:
- HTML files are the biggest offenders: Over 75% of detected malicious files were HTML. Attackers use these to create fake login pages or trigger malicious scripts.
- Microsoft 365 documents may only have a 0.17% malicious rate, but because they’re so common in business, attackers use them to hide malware or phishing links.
- PDFs are widely trusted, but still risky. 12% of malicious PDFs are part of Bitcoin sextortion scams—emails that threaten victims with fake claims in exchange for cryptocurrency.
- Executable files (.exe, etc.) are incredibly dangerous. 87% of binaries detected were malicious. These should almost always be blocked.
- QR codes are now being used to sneak in phishing links. 83% of malicious Microsoft 365 files and 68% of malicious PDFs contain QR codes that bypass traditional filters and lead users to fake Microsoft 365 login pages.
- Malicious scripts and archive files (ZIP, RAR) aren’t as common, but attackers often rely on them to deliver harmful payloads without triggering detection.
Malicious Links and Phishing Attacks
Malicious links are everywhere, and they’re surprisingly easy to fall for. Data shows that 1 in every 100 links in emails is malicious, and clicking just one can lead to serious security issues.
Phishing emails are designed to look legitimate, often mimicking trusted brands, vendors, or internal departments. These messages are crafted to create urgency or curiosity, prompting users to click before thinking.
In 2025, attackers are using tactics like:
- Fake login pages that mimic Microsoft 365 or other platforms to steal usernames and passwords
- Malware downloads disguised as invoices, security alerts, or software updates
- Fraudulent payment portals used to trick employees into submitting financial details or wiring funds
Some attackers are even using AI to generate more convincing, personalized messages that are harder to detect. These emails might reference a recent project, use familiar names, or mimic writing styles to gain trust.
Further Reading: How to Spot a Phishing Email
Default Email Security Setting Aren’t Enough
Most email platforms have basic filters, but they aren’t built to detect modern, targeted attacks. Today’s threats bypass those settings with QR codes, impersonation, and deceptive URLs.
This is where most businesses fall short, especially when they haven’t configured protection like DMARC (which prevents spoofed emails from reaching your clients or employees). Nearly half of companies still don’t have a DMARC policy in place, and only 11% actively enforce one.
We broke down how DMARC works and why it matters in last year’s blog, Why Email Security Should Be Your Top Priority in 2024.
Account Takeover Attacks
Attackers don’t always strike right away. Sometimes, they play the long game.
Account takeover (ATO) happens when a cybercriminal gains access to a legitimate user’s email account, usually through stolen credentials from a phishing attack or a weak password. Once inside, they quietly monitor activity, set up forwarding rules to intercept messages, or delete security alerts to avoid detection.
According to the report:
- 20% of businesses experience at least one account takeover every month
- In 27% of cases, attackers set up forwarding rules or delete alerts to stay hidden
- 17% of compromised accounts are used to send spam, phishing emails, or malware
What makes ATO so dangerous is that the emails come from a real, trusted address. This makes it much harder for recipients—whether coworkers, clients, or vendors—to detect the threat. Once an account is taken over, it becomes a launchpad for further attacks across your organization and beyond.
How To Keep Your Email Account Secure
Here are some of the recommendations made in the report. At Just Solutions we encourage these for all of our clients.
- Use advanced, multilayered email security tools (not just the built-in ones)
- Enforce strict rules for dangerous file types and suspicious links
- Block external forwarding and auto-deletion of alerts
- Review and configure DMARC, SPF, and DKIM policies
- Train staff on how to spot suspicious emails and links
- Back up your data and monitor for unusual activity
Further Reading: Why You Need a Professional Email Domain
Don’t Let Email Be an Open Door
Email is still the most-used communication channel for businesses, and it’s also one of the easiest to exploit.
When’s the last time you checked what’s getting through your spam filters?
If it’s been a while since you reviewed your email security, Just Solutions can help. We’ll assess your current setup, help you close the gaps, and make sure you’re not leaving an open door for cybercriminals.
Contact us for an email security review.
About the Data
All findings are from the 2025 Email Threats Report by Barracuda Networks. Founded in 2003, Barracuda is a trusted cybersecurity provider offering cloud-enabled solutions for email protection, network security, and data backup. Their tools are used by over 150,000 organizations worldwide to defend against evolving cyber threats.