What Cloudflare Really Means by “Malicious Emails”

Why it matters and what’s included

What exactly counts as “malicious” in Cloudflare’s 2025 year-in-review? The firm classifies emails as malicious when they aim to steal credentials, extract money, deliver malware, or compromise devices and accounts. So it’s not just noisy spam or bulk marketing blasts. It’s the stuff that causes harm: credential harvesting, ransomware, crypto wallet-draining, or malware payloads that take root on your system. When Cloudflare says over 1 in 20 emails are malicious, they’re talking about real, actionable threats that can cause serious damage.

Cloudflare’s 2025 Findings in Detail

How many emails were malicious and when did the numbers surge?

Is this a quiet uptick or a sudden storm? Cloudflare reports that 5.6% of all global email traffic analyzed over the past year was malicious—meaning more than one in every twenty emails carried harmful content. The figure isn’t evenly distributed. In November, malicious emails surged to nearly 10%, almost double the annual average. That isn’t a random seasonal spike; it’s a concentrated period when attackers leaned harder into deceptive tactics as the holiday shopping season and crypto market swings shifted attention and opportunities.

Deceptive links dominated, but identity deception grew, too

What’s the most common threat category in malicious emails? Deceptive links. Over half (52%) of the malicious messages contained a link crafted to mislead recipients. That means “login” buttons that lead to lookalike domains, invoice portals that are actually credential harvesters, or crypto “transfer confirmations” that route funds into attacker wallets. Identity deception followed closely, rising from 35% in 2024 to 38% in 2025. Attackers impersonated trusted people or brands using spoofed domains, similar-looking domains, or clever display-name tricks. The aim is simple: make the message feel familiar, urgent, and safe enough to click.

Which TLDs and domains were most abused?

Which domains should you instantly distrust? Cloudflare calls out “.christmas” as the most abused top-level domain extension, with 92.7% of emails from that TLD being malicious and 7.1% spam. Other highly abused domain names included “.lol,” “.forum,” “.help,” “.best,” and “.click.” These names are easy to acquire and look innocuous, which is why attackers use them to host phishing pages, credential stealers, and malware drop zones. If you see an email from a brand you trust but the sender is using one of these TLDs—or a name that looks almost identical to a legitimate one—treat it with suspicion.

Why Crypto Investors Are a Prime Target

What makes crypto-focused phishing campaigns so damaging?

Why should crypto investors pay special attention? Because once you click a crypto phishing link or send funds to a scammer, there’s usually no way back. Cryptocurrency transactions are irreversible by design, and attackers have learned to build convincing narratives that feel routine—like “account verification” or “wallet migration.” The crypto space’s tooling, hype cycles, and cross-platform presence (Discord, X, Telegram, email) all create fertile ground for impersonation and link-based scams. When identity deception is combined with deceptive links, it’s easier than ever to fall for a well-designed trap.

How are attackers personalizing their moves?

How are phishing attempts getting better? Attackers blend legitimate-looking branding with personalized messages that mimic internal tools or partner communications. They’ll use “lookalike domains” that swap one letter, use a trusted display name, and craft an urgent subject line like “Action Required: Verify Wallet” or “Unusual Login Attempt Detected.” Some campaigns use multi-stage links that progressively route victims to pages that look more and more official. For crypto traders and executives, they may impersonate a colleague or a vendor, referencing recent transactions or market events to add plausibility.

What Other Data Sources Confirm the Email Threat Trend

Why is email still the most common attack vector?

Is email still the top delivery method for attacks? Yes. Barracuda analyzed 670 million emails earlier this year and found that email remains the most common attack vector for cyber threats. Attackers use malicious attachments and links to distribute malware, launch phishing campaigns, and exploit software vulnerabilities. Their findings include:
– A quarter of HTML attachments were malicious.
– One in four emails were unwanted spam.
– Twelve percent of malicious PDF attachments were Bitcoin scams.

These numbers show that even without dramatic spikes, email is consistently exploited because it’s universal, familiar, and flexible.

What did Hornet Security report in November 2025?

Did that November spike show up elsewhere? Hornet Security reported that email was a “consistent delivery vector” for cyberattacks in 2025, with malware-laden emails surging by 131% year-over-year. That surge aligns with Cloudflare’s near-10% spike for malicious emails in November. In practical terms, it means that attackers had more malicious payloads, more ways to deliver them via email, and more opportunities to catch people off guard during the holiday period and market volatility.

How Attackers Execute These Threats

What methods are they using most?

How are they actually delivering harm? Attackers rely on:
– Deceptive links to harvest credentials or capture wallet details.
– Identity deception using spoofed or lookalike domains and display-name tricks.
– Malicious HTML attachments that load hidden scripts to collect data.
– Malicious PDF attachments that embed links or scripts, often tied to Bitcoin scams.
– Exploits that attempt to abuse email clients or auto-reply features to gain footholds for further attacks.

Each method is tuned to blend in with normal business operations, which is why they remain effective.

Industry Impact: Pros and Cons

What’s actually working against attackers, and what keeps them in the game?

Why do email threats keep succeeding, and what is actually slowing them down? Let’s weigh the balance:

– Email is everywhere. Pro: It’s a low-friction communication tool that businesses and communities rely on. Con: It’s easy to scale deceptive campaigns and reach a massive audience quickly.
– Link-based threats are simple to host. Pro: Security teams can filter and monitor links in real time. Con: Attackers can spin up new domains and TLDs faster than traditional blocklists can keep up.
– Branding and display names create trust. Pro: Security awareness and anti-spoofing policies can fight impersonation. Con: Attackers keep refining lookalike domains and social engineering.
– Attachments deliver malware. Pro: Modern email gateways scan content and quarantine suspicious files. Con: Attackers obfuscate payloads in HTML or PDFs and use legitimate-looking scripts.
– Market hype (like crypto) fuels urgency. Pro: Community education and wallet safety practices reduce mistakes. Con: Urgency pushes people to click before they verify.

Temporal Context: What Happened in 2025 and Why November Matters

Why did the spike happen when it did?

What made November special? Several factors converged:
– Holiday shopping and end-of-year workflows increase email volume, including invoices, shipping confirmations, and account updates.
– Crypto market movements create excitement and fear, making users more responsive to urgent-looking messages.
– Attackers adapt their tactics to seasonal patterns, flooding inboxes with brand impersonations and “limited-time” offers.
– TLD availability and cheap hosting make it easy to deploy and test new phishing infrastructure rapidly.

This mix created a perfect environment for malicious emails to hit near 10% of all traffic in a single month.

How to Reduce Risk: Practical Steps

What should individuals do?

What can you do right now? Start with disciplined verification:
– Treat urgent login or transfer requests as red flags. Verify via a separate channel before acting.
– Hover over links and check the domain carefully. Look for subtle misspellings or unusual TLDs (e.g., “.click,” “.lol,” “.help,” “.best,” “.forum,” “.christmas”).
– Avoid opening HTML or PDF attachments from unknown senders. If it looks like a payment confirmation from an unknown brand, pause.
– For crypto, never share seed phrases or private keys. No legitimate service will ask for these via email.
– Enable two-factor authentication and use hardware keys for critical accounts.
– Keep your browser, email client, and OS updated. Patching closes common exploit paths.

What should organizations do?

What can security teams implement quickly?
– Enforce DMARC, SPF, and DKIM to stop spoofed domains from reaching inboxes.
– Use link protection gateways that sandbox and rate-limit access to newly registered domains or abused TLDs.
– Train employees regularly, focusing on identity deception and lookalike domains.
– Quarantine suspicious HTML attachments and block or flag PDFs with embedded scripts.
– Monitor email volume spikes and correlating malware-laced campaigns—especially around holidays and market events.
– Use threat intelligence to flag abusive TLDs and high-risk lookalike domains associated with known campaigns.

Reading the Signals: What Emails Look Like Now

What should you watch for?

What are the modern telltale signs?
– Urgency with a familiar brand. “Your wallet will be locked in 2 hours.”
– Links that seem legit but point to lookalike domains (e.g., “coindesk-support.com” instead of “coindesk.com”).
– Sender names that match a known brand or person but come from an unrelated domain.
– Attachments that are HTML or PDF and prompt for a login or download without a clear reason.
– Requests to move funds or “verify” an account via a link that asks for seed phrases.

Remember: attackers are counting on speed and trust. Slow down and verify. 🛡️

Should You Stop Using Email?

What’s the realistic stance?

Is email too dangerous to use? No. Email is still essential. The point is to treat it like a public space—convenient but not always safe. The best approach is layered: good technology, smart habits, and timely verification. Don’t let fear stop business. Let caution guide decisions.

Conclusion: Keep Using Email, But Stay Vigilant

Is the tide turning against malicious emails? Cloudflare’s data confirms that over 1 in 20 emails are malicious, with November hitting nearly 10%. Deceptive links and identity deception lead the way, and attackers target crypto investors especially hard because transactions are hard to reverse. The good news is that the same channels that attackers exploit can be fortified with modern email security, strict anti-spoofing policies, and everyday habits that check, verify, and slow down when a message feels urgent or too convenient.

For individuals: pause, verify, and never share sensitive data through email links. For organizations: enforce DMARC, monitor spikes, train for impersonation, and filter risky TLDs. Together, those steps pull malicious rates down and keep real business moving without opening the door to scams that often have no way back once a victim clicks.

FAQ

Why does “over 1 in 20 emails are malicious” matter?

Because it means roughly 5.6% of all emails carry harmful content designed to steal credentials, money, or deliver malware. With November near 10%, the threat isn’t just background noise—it’s an active, concentrated risk that demands attention.

What’s the difference between spam and malicious email?

Spam is unwanted bulk messages, often commercial or promotional. Malicious emails are specifically crafted to cause harm—phishing, credential theft, malware distribution, or crypto wallet-draining. Cloudflare’s statistics focus on malicious email, not just spam.

How do deceptive links work?

They look safe and familiar but direct you to spoofed pages where attackers collect logins or wallet details. You might see a button labeled “Log in” that actually points to a lookalike domain designed to harvest your credentials.

Why do attackers use abused TLDs?

Because they’re cheap, easy to register, and can appear harmless. TLDs like “.click,” “.lol,” “.forum,” “.help,” “.best,” and “.christmas” are commonly abused. Cloudflare reports “.christmas” was particularly problematic in 2025.

Are HTML attachments dangerous?

Yes. A quarter of HTML attachments analyzed in one large study were malicious. They can load scripts to steal data or install malware. Treat them with caution, especially if they’re from unknown senders.

Why are crypto investors targeted?

Because crypto transactions are irreversible and the community responds well to urgency and hype. Attackers impersonate services, colleagues, or partners, making “verification” or “migration” requests feel normal and pressing.

What is identity deception?

It’s when attackers impersonate a trusted individual or brand using spoofed domains, lookalike domains, or display-name tricks. Cloudflare saw identity deception rise from 35% to 38% in 2025.

Can security technology stop these attacks?

Yes, but not on its own. DMARC, SPF, DKIM, link protection gateways, content filtering, and quarantine systems help, but user awareness and disciplined verification are essential.

What should I do if I clicked a suspicious link?

Disconnect from the internet, run a reputable security scan, change your passwords, enable two-factor authentication, and notify your organization or wallet provider. If funds were moved, contact the exchange or wallet service immediately and report the incident.

Should I stop opening emails from unknown senders?

Yes, it’s safest to avoid opening or clicking anything from unknown senders. For known senders, still check the domain and verify unexpected requests via a separate channel.

Stay curious, stay cautious, and keep your accounts secure. 💡