{
  "name": "March 2026 Phishing Email Trends Report",
  "slug": "march-2026-phishing-email-trends-report",
  "description": "In March 2026, trojans represented 21% of attachment-based threats, while phishing attacks using fake pages dropped from 42% to 15% month-over-month. Script-based malware increased significantly, with HTML at 14% and JavaScript at 11%. Compressed files including ZIP (14%), RAR (8%), and 7Z (5%) were common distribution methods. Document-based threats utilized PDF (13%), XLS (5%), and DOCX (2%) files. Attackers impersonated courier services like FedEx and DHL, as well as financial institutions including Hana Bank and Woori Bank. Distribution methods included HTML scripts and PDF hyperlinks leading to credential-stealing pages. Notable malware families included RemcosRAT and AgentTesla, with command-and-control infrastructure utilizing Telegram API tokens and external mail servers for data exfiltration.",
  "published": "2026-04-22T05:06:43+00:00",
  "created_at": "2026-04-22T05:06:43+00:00",
  "modified_at": "2026-04-22T06:29:43+00:00",
  "created_at_opencti": "2026-04-22T05:06:43+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-22",
    "agenttesla",
    "credential-theft",
    "fake invoices",
    "html phishing",
    "phishing email",
    "remcosrat",
    "script-based attacks",
    "trojan campaigns"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "108651da-083f-4bf0-be99-1b3f28f3967e",
        "name": "AgentTesla",
        "slug": "agenttesla"
      },
      {
        "id": "legacy:malware:82b2ec0fc1aa8617",
        "name": "RemcosRAT",
        "slug": "remcosrat"
      }
    ],
    "attack_patterns": [
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "f32c7a65-b5a5-46ec-a8c7-d06ca5d27380",
        "name": "T1553.005"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "741a926d-4157-412c-9296-f701c8dbd56d",
        "name": "T1027.003"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc",
        "name": "T1114"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "81b422de-709e-43bd-b471-2befac0c623a",
        "name": "T1218.011"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "ce39cd5d-9e4c-4138-b546-abd68e57f8c2",
        "name": "T1071.004"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "ccp11nl.hyperhost.ua"
      },
      {
        "id": "",
        "name": "controller.airdns.org"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69e8738326fb86b891dd3c1f",
    "https://asec.ahnlab.com/en/93465/"
  ]
}