Joy Agwunobi
Microsoft emerged as the most impersonated brand in phishing attacks during the fourth quarter of 2025, accounting for nearly a quarter of all detected brand-based phishing attempts worldwide, according to data released by Check Point Research.
The cybersecurity research group reported that Microsoft was mimicked in 22 percent of global phishing campaigns for the period. Following closely were Google at 13 percent, Amazon at 9 percent , and Apple at 8 percent. Facebook re-entered the top 10 list in fifth place with 3 percent, while PayPal, Adobe, and Booking each accounted for 2 percent. DHL and LinkedIn rounded out the ranking with 1 percent each.
Check Point Research noted that the findings continue a recurring trend in which cyber attackers target widely used consumer and workplace platforms. These campaigns are primarily designed to steal login credentials, providing attackers with a pathway to compromise additional accounts or sensitive data.
Amazon’s increased ranking reflected heightened activity during peak retail periods, particularly Black Friday and the holiday shopping season. Meanwhile, Microsoft and Google’s consistent presence at the top underscored the high value of credentials associated with productivity tools and cloud services, which can facilitate deeper breaches of consumer and corporate accounts. Facebook’s return to the top 10 was attributed to a renewed focus on social media account access and identity theft.
The report highlighted the adaptive nature of phishing campaigns, noting that cybercriminals often switch between brands with strong user trust, including those in payments, travel, and logistics.
Check Point Research detailed several illustrative campaigns. One targeted Roblox users through a lookalike domain that mimicked the brand name with a subtle letter change. Visitors were presented with a Roblox-themed game page featuring realistic visuals and a “Play” button, followed by a second-stage page replicating the official login interface. Users who entered their credentials were unknowingly providing attackers with full account access.
Another campaign impersonated Netflix, using the domain netflix-account-recovery[.]com. The phishing site mirrored Netflix’s login and account recovery process, prompting users for email addresses, phone numbers, and passwords, enabling potential account takeovers and downstream fraud.
A Facebook-themed phishing page was also observed, hosted on facebook-cm[.]github[.]io and delivered via email in Spanish. The site replicated Facebook’s login portal, harvesting email addresses, phone numbers, and passwords for unauthorised access and subsequent exploitation.
The research group explained that brand phishing remains highly effective due to the use of familiar digital services, subtle lookalike domains, professionally designed pages, and multi-stage flows that appear legitimate. Campaigns frequently exploit emotional triggers, such as urgency, reward, or brand familiarity, to compel users to act quickly.
Commenting on the findings, Omer Dembinsky, data research manager at Check Point Research, said: “Phishing campaigns are becoming increasingly sophisticated, leveraging polished visuals, AI-generated content, and convincing domain lookalikes. The fact that Microsoft and Google remain top targets illustrates the high value of identity-based access for attackers.”
“Meanwhile, the return of brands like Facebook and PayPal demonstrates the adaptability of cybercriminals, who shift toward platforms where trust and urgency can be exploited. Organisations must adopt a prevention-first approach, combining AI-driven detection, robust authentication, and continuous user awareness to counter these evolving threats,” Dembinsky added.
Check Point Research emphasised that identity continues to be a primary attack surface in cloud-driven environments, with phishing serving as a common entry point for both consumer fraud and enterprise security breaches.
