Phisher's Favorites

Phishers’ Favorites: After Five Quarters, Microsoft is Unseated by PayPal

Adrien Gendre

November 07, 2019

6 min

Today, we published our Phishers’ Favorites report for Q3 2019. Now in its sixth edition, Phishers’ Favorites ranks the 25 most impersonated brands in phishing attacks, based on the number of unique phishing URLs detected by Vade Secure within the quarter.


View the full list

After five quarters, Microsoft is unseated by PayPal for the #1 spot

For the first time since we began publishing Phishers’ Favorites, someone other than Microsoft claimed the #1 spot. In Q3 2019, the most impersonated brand was PayPal. While the online payments provider is consistently a popular target due to the immediate payback from hacked PayPal accounts, there has been a marked uptick in PayPal phishing in 2019. Unique PayPal phishing URLs surged 167.8% and 111.9% YoY in Q1 and Q2 2019 respectively. Q3 2019 saw 69.6% YoY growth (though only modest 4% QoQ growth), with 16,547 unique PayPal phishing URLs for an average of nearly 180 per day.

Phishers Favorites Q3 2019 Microsoft Paypal focus

PayPal remains the most widely used online payment service worldwide, with active user accounts climbing to more than 286 million in Q2. On top of that, two key initiatives revealed in Q3 may have contributed to its attractiveness as a target, as phishers often attempt to capitalize on the interest generated by news and other topical events. First, PayPal announced in July that it would play a big role in Facebook’s new cryptocurrency Libra (though it later pulled out). PayPal also announced it would expand Xoom, the international money transfer platform it acquired in 2015, to 32 countries, including Austria, France, Germany, Italy, Spain, and Portugal.

In terms of specific attacks, Vade recently uncovered an ongoing PayPal phishing campaign targeting more than 700,000 people, mainly in Europe. The emails threaten legal action, with subjects such as “Last reminder before judicial action.” The message states that the victim can avoid prosecution by paying a small sum, typically 45€. Several payment methods are offered, including a mailing address in the United States, a pay-per-call telephone number, and online payment, which, of course, is intended to be seen as the fastest and cheapest option. Upon clicking the link, users are redirected to a series of URL shorteners to land on a PayPal phishing page, with domains ending in .info, .cx, and .ae.

In another recent example, the PayPal phishing email appears to be a confirmation of a payment made to Ryanair in the sum of £356.98. The message, which spoofs the display name “” contains valid PayPal URLs along with in the message body. The one phishing link is the hyperlinked text “Click Here to cancel this transaction.” Of course, having not made the purchase, the recipient will be inclined to cancel the transaction—and cough up their credentials!


Microsoft dips to #2, as Office 365 phishing grows more sophisticated

As stated above, Microsoft relinquished its crown in Q3, dropping to the #2 spot on our list. The 13,849 unique Microsoft phishing URLs detected in Q3 was down -31.5% from last quarter, and represents the lowest total since Q1 2018 (11,178).

One can’t help but wonder what’s behind the decline. Could it be a temporary blip due to seasonality, with cybercriminals shifting from corporate to consumer targets over the summer months? After all, we saw a drop in Microsoft phishing—and a spike in Netflix phishing—last Christmas, when corporate users also tend to be out of office.

With more than 150 unique URLs per day, Office 365 phishing attacks are still widely popular. Moreover, cybercriminals have begun shifting their focus to the construction of the email and leveraging various randomization techniques to break through traditional defense layers. With this approach, there is less of a need to create a unique URL for each message; because the phisher is able to reuse the same webpage across many emails, the model becomes more scalable for them.

One emerging randomization technique is to leverage modified brand logos in phishing emails. The goal is to bypass template matching and feature matching algorithms that can only identify exact matches of logos and other images, while still being recognizable to recipients. In the Microsoft phishing email below, the phisher has put the Microsoft logo on a blue background for this reason. Fortunately, Vade has released a Computer Vision Engine that can accurately identify modified logos, along with other images used in phishing campaigns like QR codes and text-based images.

The engine has been trained to view images in web pages and emails as humans see them, by analyzing the rendering instead of the code. Moreover, to deal with this exact scenario, we have also developed an algorithm that randomly modifies logos and inserts them on random backgrounds in order to anticipate any kind of modification a hacker might make.


Another trend that we’ve seen in recent months is an increase in both the volume and variety of OneDrive/SharePoint phishing. Within this category, there is a progression of sophistication from fake notifications directly containing the phishing URL to real OneDrive notifications with a URL to a real file where the phishing URL is housed:

  • Fake document notifications – The example below is a fake SharePoint notification containing a phishing link. The email is very simple, but leverages display name spoofing (impersonating a business partner of the client, pretending to originate from their SharePoint site) and the hallmark sense of urgency (“message will be unavailable in 48 hours”).


  • Compromised account directly sending phishing URL – In this example, the email originates from a compromised Office 365 account, and appears to be sending the recipient an “encrypted document.” The hyperlink appears to be pointing to a SharePoint document (, but the actual URL underneath is completely random.

Email exemple1

  • Legitimate notifications for legitimate files containing phishing URLs – A third variation actually leverages the Office 365 platform to generate legitimate notifications with links to legitimate documents. In many instances, while the file itself is clean, it contains a link to a phishing page. We’ve also seen links to real files that function as a form (see example below) in order to capture credentials.

Email exemple 2

Netflix phishing continues its steady growth

In our Q3 ranking, Netflix edged up one spot to #3. The number of unique Netflix phishing URLs detected in Q3 was 13,562, up 14.1% QoQ and 73.7% YoY. In fact, Netflix phishing has been a model of consistency, with QoQ growth in each of the last six quarters.

Phishers Favorites Q3 2019 Netflix

Of course, Netflix’s continued growth is one driver for the corresponding growth in phishing campaigns. In the third quarter of 2019, Netflix had over 158 million paying subscribers worldwide, as well as over 5.5 million free trial customers. Another factor could be blockbuster releases. For instance, Stranger Things Season 3, released on July 4th, has been Netflix’s biggest show of the year with 64 million viewers. It’s logical for phishers to capitalize on the excitement and try and catch people off guard.

As with previous quarters, we continue to see a lot of suspended account or payment declined Netflix phishing emails, targeting both consumer and corporate email users. In the variation below (in Spanish), the link doesn’t lead to a form but rather directly to malware which will infect the recipient’s computer.


Rounding out the top 10

Facebook fell one spot to #4 in our Q3 report, due to a 20% decline unique phishing URLs. It appears the massive growth in Facebook phishing that we reported on last quarter has started to level off.

Bank of America and Apple retained the #5 and #6 spots respectively, though BofA phishing URLs dropped 1% compared to 66.8% growth for Apple. Chase surged eights spots to #7, thanks to a 70.2% increase in phishing URLs. CIBC, Amazon, and DHL all dropped one spot, to #8, #9, and #10 respectively.

In terms of Apple phishing, one interesting example is a recent email claiming that the recipient requested to remotely wipe their Apple data. The message goes on to state, “This is an unusual request, we have taken action to disable your AppleID to prevent abuse.” Of course, having not made such a request, the user might be tricked into clicking “Reactivate ID” to regain access to their account.

Exemple email 3

Financial services has 10 brands in the top 25, most phishing URLs for the first time

In terms of industry makeup, our Q3 Phishers’ Favorites report saw the biggest get even bigger. With eight brands in the top 25 in Q2, financial services added three (Sun Trust Bank, Desjardins, and BNP Paribas) and dropped one (Stripe) for a total to 10 in Q3. The number of cloud companies remained consistent at six. Internet/Telco (OVH), E-Commerce/Logistics (Alibaba), and Social Media (LinkedIn) each dropped one brand bringing their totals to four, three, and one respectively. Impôts rejoined the top 25, representing the lone government agency.

Phishers Favorites Q3 2019 Cloud industry

Regarding the share of overall phishing URLs, cloud’s streak of five straight quarters at the top ended in Q3. Financial services took the top spot for the first time, accounting for 37.9% of all URLs, thanks to big growth from Chase (70.2%), Sun Trust Bank (750.8%), Desjardins (194.7%), Société Générale (83.9%), and BNP Paribas (358.2%). Financial services was followed by cloud (32.6%), social media (13.3%), e-commerce/logistics (9.8%), and internet/telco (5.1%), and government (1.2%).


In terms of quarter-over-quarter (QoQ) growth, government was the biggest mover with 31.5% growth in phishing URLs—though on a much smaller base compared to the other industries. E-Commerce/Logistics also saw strong QoQ growth of 21.5%, while financial services grew 9.4%. Internet/telco, cloud, and social media saw phishing URLs drop 5.6%, 17.3%, and 18.6% respectively.

Phishers get a case of the Mondays; Wednesday remains a popular day to phish

Overall, 79.1% of phishing attacks were sent on weekdays in Q3, down slightly from 79.8% in Q2. The most popular days for phishing attacks shifted slightly from Tuesday and Wednesday in Q2 to Monday and Wednesday in Q3. The middle three days were Tuesday, Thursday, and Friday. The bottom two days, not surprisingly, were Saturday and Sunday.

Looking at individual brands, six out of the 10 top brands had Monday as one of their top two days. PayPal phishing was most common on Monday and Friday, while Microsoft was most prevalent on Monday and Tuesday (and virtually nonexistent on weekends). In terms the weekend, only Facebook had Saturday as one of its top days, while CIBC and Amazon phishing were popular on Sunday.

MSPs: use Phishers’ Favorites to educate your clients

For MSPs and resellers, Phishers’ Favorites presents a wealth of data to educate your clients on the dynamic threat landscape and how it’s continuously evolving. Ultimately, this could facilitate an opportunity to reassess the client’s existing email security controls and position a solution like Vade Secure for Office 365 to augment Office 365’s native protection with AI-based threat detection and auto-remediation.