Phishing Activity Drops 20% as Attackers Shift to Targeted Campaigns, Zscaler Reports
Zscaler ThreatLabz reports phishing activity declined ~20% in both 2024 and 2025, with attackers moving from mass campaigns to targeted phishing mimicking routine business communications.
Phishing activity declined by roughly 20% in both 2024 and 2025, according to research from Zscaler's ThreatLabz team. The drop followed years of growth that pushed phishing activity above 2 billion hits in 2023. Researchers found that blocked-email volume alone is no longer a reliable proxy for phishing risk, as attackers have shifted tactics.
Instead of mass campaigns, threat actors are increasingly using targeted phishing designed to resemble routine business communications. The services sector recorded a 65.5% year-over-year increase in phishing activity, making it the most targeted industry in the dataset. Billing notices, onboarding documents, renewals, support requests, and document-sharing workflows appeared frequently in campaigns targeting the sector. One campaign cited by Zscaler used tax-themed lures and legitimate services such as OneDrive to target more than 29,000 users across 10,000 services organizations.
Microsoft and Google topped the list of brands most frequently impersonated in phishing campaigns. Credentials tied to those platforms often provide access to multiple business services through a single account. A Microsoft 365 login can unlock email, files, Teams, SharePoint, OneDrive, and connected SaaS applications, meaning access to one account can expose a much larger portion of an organization's environment.
AI site builders are becoming part of phishing operations. ThreatLabz identified 413,524 AI-generated website instances and classified 37,447 of them as malicious. The activity was associated with platforms including Manus AI, Blackbox AI, Anything AI, Bolt AI, Vercel v0, and Framer AI. Researchers documented phishing pages, fake applications, and brand impersonation sites created through these services. One case involved a counterfeit Coinbase Wallet website generated with an AI application builder that promoted a fake browser extension.
More than 95% of phishing activity observed by Zscaler was delivered over encrypted channels. Researchers also found that 87% of all malicious activity blocked during 2025 was delivered over HTTPS. Credential theft, session abuse, and redirects increasingly occur through the same encrypted connections employees use to access cloud applications and business services.
Attackers are bypassing MFA in real time using phishing kits that combine adversary-in-the-middle (AiTM) and browser-in-the-middle (BiTM) techniques to intercept login sessions and capture credentials, MFA codes, and session tokens. BlackForce, a phishing-as-a-service platform cited by ThreatLabz, was among the examples, turning a single click into a session-level compromise.
Attack surface discovery is happening at scale. Between October 2025 and March 2026, external decoys deployed in customer environments recorded 89.9 million hostile interactions from 1.37 million unique attacker IP addresses. Attackers were probing exposed services and looking for assets that could provide a path into an organization. Cloud infrastructure is fueling scanning activity, with ThreatLabz observing more than 121,000 AWS-hosted IP addresses probing customer environments.
Zscaler expects phishing campaigns to become more automated in 2026, with AI agents targeting other AI agents, attacks moving between email, messaging apps, SMS, and voice channels, and attackers focusing on active sessions and identities instead of credentials alone.