Black Tower Cyber
Back to Blog
Business Email Compromise

Phishing Has Evolved — Here's What It Looks Like in 2025

Phishing isn't obvious anymore. AI-generated lures, adversary-in-the-middle frameworks, and MFA bypass techniques have changed the threat. Here's what to actually watch for.

Business Email Compromise Black Tower Cyber June 2025 6 min read

Security awareness training has become a commodity. Annual CBT modules, simulated phishing emails with obvious typos, and generic "don't click links" messaging. Meanwhile, attackers have access to generative AI, open-source adversary simulation frameworks, and years of refined social engineering playbooks targeting specific industries.

The result is a significant gap between what employees are trained to recognize and what they're actually going to receive in their inbox.

What Modern Phishing Actually Looks Like

// AI-Generated Spear Phishing

Generative AI has eliminated the spelling and grammar errors that used to be reliable red flags. Attackers now routinely produce phishing emails that are indistinguishable in writing quality from legitimate business communication. They pull context from LinkedIn profiles, firm websites, bar directories, and public court filings to personalize each email with details that make it feel real — the name of a partner, a current matter, a recent transaction.

// Adversary-in-the-Middle (AiTM) Phishing

This technique is worth understanding in detail because it defeats standard MFA. In an AiTM attack, the phishing link doesn't lead to a fake login page — it proxies the real Microsoft or Google login page in real time. The victim enters their credentials and completes their MFA challenge against what they believe is the real site. The attacker's proxy captures the session token that Microsoft issues after successful authentication. The attacker now has a valid, authenticated session — without ever having the password or MFA code. Tools like Evilginx have made this accessible to a wide range of threat actors.

Why This Matters for Professional Services

AiTM phishing campaigns have specifically targeted M365 environments in professional services sectors. Microsoft's own threat intelligence has documented campaigns targeting law firms and financial services firms using this technique. The session tokens captured are often used immediately for BEC fraud — the attacker logs into the compromised mailbox and begins intercepting or redirecting financial communications within hours.

// Multi-Channel Lures

Attackers no longer rely on email alone. A common pattern: a phone call first to establish context ("I'm following up on the DocuSign we sent"), then the phishing email, then a text message with a link. Each channel adds legitimacy to the others. Victims who would dismiss an isolated email are far more susceptible when it's accompanied by a phone call they just received.

// Trusted Platform Abuse

Phishing links are increasingly hosted on legitimate platforms — SharePoint, OneDrive, Dropbox, DocuSign, Adobe Sign — because email security filters are far less likely to flag a link to microsoft.com or docusign.com. The malicious content is one click away from the legitimate platform. By the time a user realizes they've been phished, they've already authenticated to the attacker's capture page.

What Actually Defends Against Modern Phishing

  • FIDO2 / passkey MFA — the only MFA type that is resistant to AiTM attacks because authentication is cryptographically bound to the legitimate domain. SMS and TOTP codes are AiTM-bypassable.
  • Conditional Access with device compliance — requires that the device logging in is enrolled and compliant, making stolen session tokens much harder to use from an attacker's machine
  • Safe Links with real-time URL detonation — follows shortened URLs and redirects at click time, not delivery time, to catch late-stage payload swaps
  • Attack simulation training tied to real techniques — employees should see AiTM-style lures, not just obvious fakes. If your training vendor can't simulate modern techniques, it's not preparing your team
  • Verification culture — any request involving money, credentials, or sensitive data should trigger an out-of-band phone call to a number already on record. This is a process control, not a technical one, and it's highly effective

The Bottom Line on Awareness Training

Training is necessary but not sufficient. No amount of training eliminates the risk of a well-crafted, contextually targeted phishing email — especially under the time pressure conditions that characterize professional services work. Training reduces the attack surface. Technical controls catch what training misses. Both layers are required.

If you're relying on annual training alone and haven't reviewed your M365 security configuration in the past 12 months, your firm's exposure to modern phishing is significantly higher than you likely realize.

Need help validating your environment? Book a consultation and Black Tower Cyber can review your exposure, identity controls, and incident readiness before attackers find the gap first.

Related Reading

More Insights
Browse All Black Tower Cyber Articles
Read more practical incident response, Microsoft 365, and cybersecurity guidance.
Microsoft 365
Five Microsoft 365 Misconfigurations Attackers Look for First
Review common identity and mailbox configuration gaps attackers target first.

Need help before this becomes an incident?

Black Tower Cyber helps professional services firms investigate incidents, harden Microsoft 365, and close the security gaps attackers actually use.

Schedule Consultation Report Incident