State of Phishing 2025: Why SVGs Spiked (and What Still Works)

In this episode of All Things Human Risk Management, we get practical about phishing in 2025 - what actually lands in inboxes, why SVG attachments suddenly matter, and which old tricks still do the damage. Host Eliot Baker sits down with Hoxhunt’s Head of Human Risk Management, Maxime Cartier, to translate real user reports into an operator’s playbook: tune training to your stack, focus on behaviors that prevent loss, and measure the moments that matter.

‍

Inbox reality, not filter noise

What you measure becomes your program. If you anchor on blocked attempts, you’ll optimize for the wrong problem. Anchor on what reaches people and train from that evidence.

“These are the emails that are bypassing the filters… this is what matters and what we need to train people about.”

‍

What still works (and why)

Despite headlines, the dependable workhorses remain PDF and HTML. Wrapped in believable business workflows - DocuSign or file-sharing notifications, HR and payroll themes, fake voicemails - they still convert. The lesson: simulate and coach to these patterns first.

“PDF files are still king.”

‍

The SVG surge explained

SVGs jumped from rounding error to a meaningful slice of reported threats because they look like images while behaving like code. That dual nature helps them slip through simplistic checks, especially in multi-step flows.

“SVG averaged around 5% this year… up to 15% in March... It looks like an image - actually it’s code.”

‍

A real SVG kill chain

Attackers often avoid attachments altogether to dodge early filters. They start with a benign-looking link, then escalate. Knowing the sequence helps you simulate and teach the pause.

“No attachment → ShareFile link → download SVG → password prompt → credential harvester.”

‍

Train to your stack: Microsoft 365 vs Google Workspace

Your environment shapes the lure mix and the signal in user reports. Microsoft tenants see a higher ratio of malicious reports and more Microsoft-branded and HR themes; Google shows more SaaS and DocuSign. Calibrate simulations, tips, and examples accordingly.

“In Google… 12% of reports were malicious; in Microsoft… 34.7%... Google saw more DocuSign and SaaS; Microsoft saw more Microsoft apps and HR/payroll.”

‍

AI noise vs email reality

AI raises volume and polish, but that doesn’t automatically raise risk to people. Keep the main thing the main thing: coach for what actually reaches the inbox and tempts a click.

“If attacks are blocked by the filters, I don’t care… what matters is what makes it into the inbox.”

‍

Verification beats persuasion

When money or data is at stake, teach the reflex to pause and switch channels. Pre-agree callback rules and known numbers so employees can act fast without guessing.

“Pause and then verify… use different channels to check the sender.”

‍

Training that moves behavior

Recency is the multiplier. Short, frequent reps outperform long, rare trainings. Measure report rate and time-to-report as your leading indicators.

“People trained in the past 30 days were four times more likely to report a phish.”

‍

What to simulate and measure next

Bring screenshots from your own tenant into monthly drills. Mirror the current mix: PDFs and HTML, the top lures, and selected SVG flows. Track verification before approvals and changes, not just course completions.

“Take a screenshot… this is what is actually happening.