AI phishing, malicious SVGs continues after surge over holidays

A report based on millions of phishing emails reported to Hoxhunt in 2025 and early 2026 revealed a massive surge in AI-generated phishing attempts at the end of last year, as well as a 50-fold increase in malicious SVG attachments.

The Hoxhunt Phishing Trends Report, released Thursday, noted that AI-generated content made up less than 5% of phishing attempts for the first 11 months of 2025, but rose to 56% during the December 2025 holiday season, a 14-fold increase.

Notably, the trend did not fully reverse in January 2026, with 40% of phishing attempts showing signs of AI generation that month. These signs included descriptive HTML comments included in email templates, emojis that emphasize actions (such as a phone emoji next to a malicious phone number) and overly polished or formal language, according to Hoxhunt.

The most common theme for AI phishing attempts was fraudulent offers for free products or rewards, such as free car emergency kits or airline rewards, appearing in 18.6% of AI-generated malicious emails. An additional 13.1% impersonated financial service providers like banks, insurance companies or PayPal.

Fake invoices and human resource (HR) team impersonation were also common, making up 8.3% and 8.2% of AI-assisted phishing lures, respectively. AI-driven phishing attacks used malicious links in 43.1% of cases, while 11% used malicious attachments and 4.9% directed victims to call a phone number. About a fifth of phishing links used open redirects to mask their malicious origin from users and spam filters, Hoxhunt noted.

“AI makes phishing harder to detect. Scammers can quickly create polished emails, insert details from LinkedIn, and make them highly personal. It’s no longer just copying and pasting. Since they can tell the AI what words or patterns to avoid, many of the usual phishing triggers don’t even trigger,” noted Krishna Vishnubhotla, vice president of product strategy at Zimperium, in comments to SC Media.

Despite the surging volume of AI assisted phishing attacks, Hoxhunt noted that more sophisticated techniques such as voice or video deepfakes and “agentic spear phishing” were not observed at a mass scale.

Additionally, the researchers noted that AI appeared to struggle in attempts to auto-personalize phishing templates, frequently failing to replace placeholders such as “##victimdomain##,” making the malicious intent obvious.

“In 2025, we observed no decline in placeholder artifacts, suggesting that GenAI phishing has not yet mastered personalization,” the researchers wrote.

Other notable findings from Hoxhunt’s research include an observed 50-fold increase in the use of malicious scalable vector graphics (SVG) attachments. SVGs are now the third most common malicious attachment, surpassing .docx and .eml, and making up about 5% of all phishing attachments. PDFs remain the most common, seen in 24% attacks, followed by HTML files at 5.6%, down from 10% in 2024.

Callback phishing emails, which instruct targets to call a malicious phone number, were also highlighted in the report, citing a 500% increase in such attacks in Q4 2025 as previously reported by VIPRE Security Group. Hoxhunt’s research found that financial service impersonation was the most common type of callback phishing, at 27.1%, followed by invoice phishing at 26.6%.

Microsoft, Docusign and internal HR departments were the top three most commonly impersonated entities across all phishing emails, and gmail.com was the most common sender domain for malicious emails, used by 20% of attackers.

Hoxhunt’s report also includes data from more than 50 million phishing simulations, finding that .ics calendar invite files had one of the highest failure rates at 24%. The researchers noted that these calendar files are often automatically added as events to users’ calendars and may need to be manually deleted from calendars even after emails are deleted or reported.