A recent report published by Check Point Research (CPR) has identified Microsoft and Google as the most impersonated brands in phishing attacks during the fourth quarter of 2025. The findings are part of Check Point’s global Brand Phishing Report, which analyses phishing activity across major consumer and enterprise platforms.
According to the report, Microsoft continued its year-long trend as the most impersonated brand, while Google ranked second. The data shows that brand impersonation remained a primary method for harvesting credentials and gaining unauthorised access to enterprise and consumer accounts during Q4.
Brand Phishing Trends Observed in 2025
Check Point Research tracked brand impersonation activity throughout all four quarters of 2025. Microsoft ranked first in every quarter, indicating sustained targeting rather than short-term campaign activity.
Microsoft impersonation reached its highest level in Q3 2025, accounting for approximately 40 per cent of all brand phishing attempts globally. In Q4 2025, phishing campaigns expanded to include retail and travel-related brands due to seasonal factors. Despite this shift, Microsoft retained the top position with approximately 22 per cent of global brand phishing activity.
Google ranked second in Q4 2025 with approximately 13 per cent of all brand impersonation attempts. The continued targeting of Google reflects its widespread use for email, cloud services, and account-based authentication across both enterprise and personal environments.
Most Impersonated Brands in Q4 2025
Based on CPR data, the top impersonated brands in Q4 2025 were:
- Microsoft – 22%
- Google – 13%
- Amazon – 9%
- Apple – 8%
- Facebook / Meta – 3%
- PayPal – 2%
- Adobe – 2%
- Booking.com – 2%
- DHL – 1%
- LinkedIn – 1%
Enterprise technology platforms accounted for a significant share of phishing activity due to their role in identity management and access to multiple services.
Why Microsoft and Google Are Primary Targets
Check Point Research notes that Microsoft and Google accounts are targeted because they function as central identity providers across enterprise and consumer ecosystems.
Microsoft 365 accounts are commonly used to access Outlook, SharePoint, Microsoft Teams, and administrative portals. In many organisations, Microsoft Entra ID (formerly Azure AD) acts as the primary Single Sign-On mechanism for internal and third-party applications.
Similarly, Google accounts provide access to Gmail, Google Drive, Google Workspace, and a wide range of integrated services. A compromised Google account can expose sensitive data and enable lateral movement across connected platforms.
The consolidation of access under a single identity increases the operational value of these credentials for attackers.
Enterprise Impact of Account Compromise
Once access to Microsoft or Google email accounts is obtained, attackers can monitor communications, identify financial or operational workflows, and initiate Business Email Compromise attacks. These attacks often involve invoice fraud, payment diversion, or unauthorised changes to vendor details.
Access to cloud storage platforms such as OneDrive, SharePoint, and Google Drive allows attackers to review internal documents, contracts, and approval processes. Collaboration platforms such as Microsoft Teams further expose internal communication and organisational structure.
In environments where these identities are used for Single Sign-On, compromise can extend to HR systems, CRM platforms, finance tools, and other SaaS applications.
Phishing Techniques Used in Q4 2025
The report highlights several phishing techniques that were widely observed during Q4 2025.
AI-Generated Phishing Emails
Attackers increasingly used generative AI to create phishing emails with accurate grammar, professional formatting, and role-specific content. Emails were customised using publicly available information such as employee roles and organisational context.
Common themes included security alerts, document sharing notifications, password reset messages, and subscription or account verification requests.
QR Code-Based Phishing
QR code phishing activity increased significantly in Q4 2025. Microsoft- and Google-branded emails and attachments contained QR codes instructing users to scan for account verification or security updates.
This method reduced detection by email security gateways that focus primarily on URL analysis. In many cases, scanning the QR code redirected users to phishing pages accessed on mobile devices, where visibility into domain details is limited.
Adversary-in-the-Middle Phishing Kits
Check Point Research observed extensive use of adversary-in-the-middle phishing kits during Q4. These tools proxy legitimate login sessions and capture credentials, session cookies, and multi-factor authentication tokens in real time.
This allowed attackers to bypass standard multi-factor authentication controls and gain immediate access to compromised accounts.
Factors Contributing to Increased Q4 Activity
Several operational factors contributed to higher phishing success rates in Q4 2025.
End-of-year licence renewals resulted in an increase in fraudulent Microsoft 365 and Google Workspace billing alerts. Q4 2025 also saw a surge in “Year-End Audit” lures, which tricked employees into verifying their identities for compliance purposes. Internal access reviews and compliance checks made credential verification requests appear routine.
Increased email usage on mobile devices during the holiday period reduced user ability to identify suspicious sender addresses and domain variations.
Security Implications for 2026
The findings indicate that Microsoft and Google impersonation will remain a persistent threat in 2026. Traditional phishing awareness training and basic multi-factor authentication are increasingly ineffective against AI-generated content, QR-based phishing, and adversary-in-the-middle techniques.
Check Point Research recommends adopting phishing-resistant authentication methods, improving session-level monitoring, and prioritising rapid containment of compromised identities.
Protection of Microsoft and Google identities should be treated as a core security requirement for organisations in 2026.
