Ransomware’s Favorite Door? Phishing Attacks

Ransomware hit 85% of organizations last year. And in most cases, phishing opened the door.

According to SpyCloud’s new Identity Threat Report, phishing now accounts for 35% of ransomware intrusions in 2025, up from 25% the year before.

“Phishing can no longer be seen as just a nuisance; it’s a primary launching point for ransomware and other identity-based attacks,” Trevor Hilligoss, head of security research at SpyCloud, said in a company press release.

Driving the surge is a booming underground economy. Phishing kits and Phishing-as-a-Service (PhaaS) enable even novice attackers to create convincing fake sites, automate lures, and bypass multi-factor authentication in minutes. What once required technical skill is now point-and-click… and it’s fueling a relentless wave of ransomware break-ins worldwide.

The ransomware reality check

SpyCloud’s report reveals a troubling disconnect between confidence and reality.

While 86% of security leaders believe they can stop identity-driven threats, fewer than 1 in 5 have the automated tools needed to remediate exposed identities. That gap is showing in the field: the vast majority of organizations — 85% in the past year alone — experienced at least one ransomware attack.

Phishing’s new playbook

Modern phishing combines traditional social engineering with sophisticated tooling and automation, resulting in highly targeted, high-success attacks. Threat actors now blend proven social-engineering with automated tooling to make phishing both more targeted and scalable. 

Attackers scrape LinkedIn and repos while also gathering other OSINT to craft convincing spearphishing lures. They then boost credibility with look-alike domains, typosquats, and deceptive subdomains.

On the technical side, commodity services and proxy frameworks have removed much of the skill barrier. 

Phishing-as-a-Service (PhaaS) offerings let low-skill actors spin up brand-clone pages, dashboards, and rotating hosting in minutes, while AiTM proxies (e.g., Evilginx-style kits) transparently proxy real logins to harvest session cookies and tokens that bypass MFA.

Successful lures often drop infostealers or harvest credentials and cookies, creating immediate footholds for follow-on actions, such as lateral movement and ransomware deployment.

The result is a fast, resilient attack chain: personalized lures, look-alike domains, proxy/PhaaS token capture, and infostealers that persist and exfiltrate data — even from endpoints with AV/EDR. That combination makes detection and remediation more difficult.

AI now amplifies these tactics, automating personalization, content variation, and webpage cloning to scale phishing campaigns and evade traditional defenses.

How threat actors weaponize AI to supercharge phishing attacks

• Automated personalization at scale: LLMs ingest public profiles and produce bespoke emails, chat messages, or voice scripts that mimic tone, role, and context — making mass campaigns hyper-targeted.
• Content evasion and paraphrasing: AI can rewrite phishing text to evade static keyword filters and produce many unique variants that defeat signature-based email defenses.
• Rapid webpage cloning: AI-assisted tooling automates scraping of legitimate pages and generation of convincing phishing pages (including localized content), reducing the time attackers need to prepare campaigns.
• Deepfakes & voice phishing (vishing): Synthesized audio/video can convincingly impersonate executives or vendors to authorize wire transfers or credential disclosure.
• Automated reconnaissance and optimization: AI workflows can test multiple lures, subject lines, and send times to maximize conversions, then pivot based on which templates succeed.

These AI-powered tactics raise the stakes for defenders, making it crucial for organizations to strengthen their identity-first defenses and adapt more quickly than attackers.

How organizations can respond and mitigate risk

Security teams should prioritize identity-first defenses that directly address phishing, infostealers, and session hijacking.

• Adopt phishing-resistant MFA and strong identity monitoring to block adversary-in-the-middle attacks, revoke compromised sessions, and automate credential resets.
• Enforce email and domain protections (DMARC, SPF, DKIM) while monitoring for spoofed or look-alike domains.
• Deploy behavioral and AI-driven analytics to detect anomalous logins, token misuse, content variation, and cloned phishing pages at scale.
• Train employees with advanced simulations that include AI-generated lures, deepfake vishing, and other modern phishing tactics.
• Use threat intelligence and takedown services to identify and rapidly remove phishing kits, fake domains, and cloned websites.
• Strengthen endpoint, vendor, and transaction controls with EDR visibility, application whitelisting, supply chain vetting, and out-of-band verification for high-risk actions.

As identity-driven threats evolve, security leaders will need to shift from reactive, behavior-based defenses to holistic identity protection strategies that close visibility gaps and neutralize risks before they escalate.

To stay ahead of ransomware fueled by phishing, organizations should pair these identity-first strategies with proven ransomware protection tools that strengthen recovery and resilience.