Spear phishing attacks bypassed DMARC email authentication in 70 percent of cases detected last year, according to Darktrace’s newly released 2025 annual report. The figure is striking enough on its own. But the broader picture reveals something more unsettling: the technical filters most organizations rely on are being outpaced by attackers who have shifted their focus from software vulnerabilities to human identity. Building a credible managed security awareness program now requires more than a working spam filter.
What Darktrace Found in 32 Million Phishing Emails
Darktrace’s platform detected 32 million high-confidence phishing emails across its customer base in 2025. Of those, 41 percent were classified as spear-phishing, meaning attackers had personalized the message for a specific target rather than broadcasting a generic lure. More than 8.2 million emails were directed specifically at executives, finance staff, and IT administrators, making up roughly one in four of all phishing attempts detected.
The tactics are diversifying rapidly. Over 1.2 million phishing emails incorporated malicious QR codes that redirect recipients to credential-harvesting sites outside normal email scanning scope. Another 1.6 million originated from freshly registered domains designed specifically to evade reputation-based blocklists. Nearly one-third of phishing emails exceeded 1,000 characters, mimicking the length and formality of legitimate business correspondence.
AI is accelerating all of this. The CrowdStrike Global Threat Report 2026 documented an 89 percent increase in attacks by AI-enabled adversaries compared to the previous year. Threat actors are deploying large language models to write polished phishing messages in multiple languages, cut production time, and generate convincing impersonation content at a scale that was not feasible two years ago.
Why Identity Is Now the Attacker’s Primary Target
Perhaps the most significant shift documented in the Darktrace report is what attackers are ultimately after. Identity compromise has overtaken direct vulnerability exploitation as the leading attack vector. Rather than hunting for software flaws, adversaries are stealing credentials, hijacking session tokens, and taking over trusted accounts to move through organizations without triggering conventional security alerts.
In the Americas, Microsoft 365 and SaaS account takeovers represent 70 percent of all incident cases Darktrace observed in the region. Once an attacker controls a legitimate account, they can send internal emails that bypass every external filter, access sensitive systems, redirect financial transactions, and persist in an environment for weeks. The credential theft that enables all of this almost always begins with a phishing email that a real person opened and clicked.
What Technical Filters Cannot Catch
DMARC was designed to stop email spoofing by verifying that messages actually originate from the claimed sending domain. For years, organizations treated it as a solid first line of defense. The finding that 70 percent of targeted phishing emails bypassed it entirely reflects a fundamental change in attacker methods. Modern campaigns use lookalike domains registered days before deployment, compromised legitimate accounts that pass all authentication checks, and multi-stage redirects that move the malicious payload off the original email entirely.
Darktrace also found that 38 percent of phishing emails in 2025 incorporated social engineering techniques that had not been documented before. Signature-based and rule-based detection tools identify threats by matching them against known patterns. When the technique is genuinely novel, those tools see nothing. The threat is no longer just high volume. It is designed specifically to be invisible to filters.
Building Social Engineering Defense That Holds Under Pressure
When attackers are crafting personalized messages that clear every technical checkpoint, the human layer becomes the organization’s most important control. Employees need to recognize warning signs that no filter can evaluate: unexpected credential requests from trusted contacts, a sense of urgency attached to an action that bypasses normal approvals, or a login page that looks exactly right but arrived through an unusual route. These are judgment calls, and judgment improves with practice.
A human risk management program gives security teams a way to identify who in the organization is most likely to be targeted and concentrate training investments accordingly. Executives, finance staff, and anyone with access to privileged systems deserve more frequent and more realistic testing than a once-a-year module. The Darktrace numbers confirm that attackers already know who to target. Defenders should too.
The volume of AI-generated, identity-focused phishing in 2025 is a signal that the current approach to security awareness needs to reflect what attackers are actually doing today. Organizations that have not reviewed their training content and simulation scenarios recently should take stock now. To understand where the gaps in your team’s current posture are, schedule a consultation with a team that specializes in this kind of assessment.
