Phishers’ Favorites Q3 2020: Microsoft Phishing Explodes in Summer Surge
Natalie Petitto
—October 29, 2020
—4 min read

Today, we published our Phishers’ Favorites report for Q3 2020. Now in its 10th edition, Phishers’ Favorites ranks the 25 most impersonated brands in phishing attacks, based on the number of unique phishing URLs detected by Vade within the quarter. As we protect 1 billion mailboxes in 76 countries, we have a unique view on global email traffic and the phishing campaigns targeting both consumer and corporate email accounts.

While 2020 has proven to be an unpredictable year globally, phishing activity detected by Vade in Q3 remained on track with what we’ve seen in previous years. The summer slump returned for Q3 2020, with unique phishing URLs decreasing from between June and August and then rising again in September.
While the summer season tends to result in fewer unique phishing URLs, phishing emails overall are more targeted. Hackers have moved on from sending mass waves and are more selective with their targets. The result is more personalized emails, which are far more effective than email blasts.
Explosion of Microsoft phishing keeps Microsoft in the #1 spot
In the top spot for eight of the last ten quarters, Microsoft is once again the most impersonated brand in phishing attacks. Vade detected 13,617 unique Microsoft phishing URLs in Q3, with a brief burst in July and ultimately an explosion of activity in September.

Emotet malware returned with a bang in July, with a mass wave of malspam laced with the Emotet virus hitting businesses around the world. French, Japanese, and Australian security agencies alerted businesses, and Microsoft released its own warning shortly after.

Vade sent similar warnings about Emotet in September. Along with huge increases in phishing URLs, we also detected a surge of phishing emails with both phishing URLs and password-protected .ZIP files. The wave continues today. We see limited Emotet activity on weekends and then surges of activity on weekdays when hackers target businesses and their employees who are checking work email.
In late August to early September, Vade detected a wave of Microsoft phishing URLs. On the week of August 21, Microsoft phishing increased dramatically, with 846 unique phishing URLs on August 26, and 1,799 on September 1. The trend continued through the week of September 21, with 1,151 Microsoft phishing URLs detected on September 24.
Microsoft’s reign at the top spot is directly proportional to its reign in its space. Microsoft 365 continues to dominate the corporate space and shows no sign of slowing down. As of this writing, Microsoft 365 has 268 million corporate users, a large pool of potential victims ready to bite on Microsoft phishing emails and webpages.
Cloud services is the most impersonated industry
Microsoft is just one of a handful of cloud services corporations that made the top 25 list. Representing 44 percent of phishing URLs and 17.9 percent quarter-over-quarter (QoQ) growth, cloud services boasted twice the phishing URLs of the second most impersonated industry, financial services.

The second most impersonated cloud brand after Microsoft is Netflix, which saw a slight decline in Q3 (2.3%) but managed to move up five spots to #7 on the list. Netflix phishing might seem like an odd choice for phishers targeting email, but the confluence of home and office hit unseen heights in 2020 due to the Coronavirus pandemic. It’s not unheard of for employees to open private accounts with their corporate email addresses, and you can bet they watched Netflix on their work laptops.
Financial services is the second most impersonated industry, with six brands in the top 25. With 2,512 unique phishing URLs in Q3, PayPal came in at #3. PayPal phishing hit its peak in 2019 and declined in Q1 2020. Chase, Bank of America, Wells Fargo, and Credit Agricole also made the top 25.
Ecommerce had five brands in the top 25, with eBay, Amazon, and DHL in the top 10. DHL first emerged in the top 10 in Q1 and has remained steady through Q3. Apple moved up two spots to #16 in Q3, back to its Q1 spot.
Social media represented four brands on the top 25 list. Although Facebook phishing URLs have declined, the brand remains a top-five brand, coming in at #2 for Q3 with 2,868 phishing URLs.
WhatsApp, which is owned by Facebook, came in at #8 after several quarters of increasing interest from hackers, followed by LinkedIn and Instagram.
Like Microsoft, Facebook’s dominance in its space is the main draw. LinkedIn phishers use lures like the one below, which hold promise for networkers and a potential lifeline for job seekers.

Monday, Tuesday, and Wednesday tie for the most active phishing days of the week
Weekdays are historically the most popular days for corporate phishing, and the trend continued in Q3. Monday, Tuesday, and Wednesday were the top days for phishing in Q3. Microsoft’s single-day high, however, came on a Thursday.

For more consumer-oriented brands, weekends are the most popular days. Facebook and WhatsApp for example, saw the most phishing on Saturdays and Sundays, while Netflix saw a little bit of both, with Wednesday and Sunday being the top days.
eBay emerges as a new phishers’ favorite
eBay phishing is growing. With a 53.5 percent increasing in phishing URLs in Q3, eBay is emerging as a popular brand with phishers and has steadily risen in the rankings on our Phishers’ Favorites report. The first spike came in Q1, when eBay jumped 18 spots to the #9 spot, steadily increasing to #7 and now #4. Why the sudden interest in eBay?

Like other ecommerce companies, particularly Amazon, eBay saw explosive growth in Q2 2020, thanks to global lockdowns and increases in online shopping. But eBay is also a marketplace for sellers who are eagerly awaiting good news from eBay and susceptible to clicking on phishing emails that bring both good and bad news. In the below example in German, the sender references an order confirmation. The attachment, a PDF, is password protected.

Phishing trends for the quarter
Unique phishing URLs for the top brands for the quarter were down overall, with the exception of Microsoft and eBay. As we saw throughout 2020, phishers are leaning toward more targeted attacks and away from mass waves that feature recycled phishing URLs embedded in thousands of emails.
We saw an increasing number of targeted attacks that target only a few individuals at a single company. In some cases, they target only one individual. Hackers often research these individuals in advance and know exactly when to reach out, how, and with what lures. Hackers were also highly creative with phishing links. As we saw with the wave of Emotet emails, hackers are getting better at hiding URLs, particularly in Word docs and PDFs disguised as invoices and contracts.
Read our previous Phishers’ Favorites reports to learn more about the evolution of phishing and how the top brands have trended up and down the list.