Sydney, Australia – 29 April 2025 — Barracuda Networks, Inc., a leading cybersecurity company providing complete protection against complex threats for all sized businesses, today released the 2025 Email Threats Report, which details the current state of email-based risks facing organisations worldwide, based on Barracuda’s threat detection data. The findings highlight how attackers continue to shift malicious links and content to attachments in the hope of evading detection by security tools. Advanced AI-based threat detection is critical for detecting such hidden threats.

As many as 20% of organisations experienced at least one attempted or successful account takeover (ATO) incident per month, with attackers typically trying to gain access through phishing, credential stuffing or by exploiting weak or reused passwords. Once inside an account, attackers can steal sensitive data, move laterally inside the organisation, and send phishing emails that appear to be from a trusted source.

The findings show that:

• 23% of HTML attachments are malicious, making them the most weaponized text file type. More than three-quarters of the malicious files detected overall were HTML files. When used legitimately, HTML attachments in emails enable organisations to share content, such as newsletters or invitations, that display properly when opened in an email client or web browser.
• 68% of malicious PDF attachments and 83% of malicious Microsoft documents contain QR codes designed to take users to phishing websites.
• Bitcoin sextortion scams account for 12% of malicious PDF attachments.
• 47% of email domains do not have Domain-based Message Authentication, Reporting and Conformance (DMARC) configured to protect against unauthorised use, including spoofing and impersonation attacks.
• 24% of email messages overall are now unwanted or malicious spam.

“Email remains the most common attack vector for cyberthreats because it provides an easy entry point into corporate networks,” said Olesia Klevchuk, product marketing director, Email Protection at Barracuda. “Malicious email attachments, QR codes and URLs are used by attackers to distribute malware, launch phishing campaigns and exploit vulnerabilities. Many organisations increase their risk level by failing to implement DMARC, making it possible for attackers to impersonate their brand and implement fraudulent attacks. Organisations need to mitigate the risks by implementing best practice industry standards and adopting a multi-layered approach to email security, leveraging AI-driven threat detection to spot attacks hidden in attachments and malicious websites.”

To learn more about the email threat landscape in 2025 and best practice security recommendations, please see the full 2025 Email Threats Report.

This report contains proprietary Barracuda research gathered during February 2025. During that time, nearly 670 million malicious, spam or unwanted emails were analysed. The report presents the key findings from that data.

– ENDS –

About Barracuda

Barracuda is a leading cybersecurity company providing complete protection against complex threats. Our platform protects email, data, applications, and networks with innovative solutions, and a managed XDR service, to strengthen cyber resilience. Hundreds of thousands of IT professionals and managed service providers worldwide trust us to protect and support them with solutions that are easy to buy, deploy, and use. For more information, visit barracuda.com.

Barracuda Networks, Barracuda and the Barracuda Networks logo are registered trademarks or trademarks of Barracuda Networks, Inc. in the U.S., and other countries.