Over 5% of all emails sent globally contain malicious content, according to internet infrastructure giant Cloudflare.
The web security company reported that 5.6% of global email traffic analyzed over the past year was identified as harmful, meaning more than one in every twenty emails could pose a risk.
In November, the share of malicious emails spiked to nearly one in ten, almost double the annual average.
Cloudflare’s 2025 year-in-review report noted that malicious emails can lead to credential theft, data breaches, or financial losses.
The findings are particularly concerning for cryptocurrency investors, as phishing attacks targeting traders, investors, and executives have grown increasingly sophisticated and surged in recent months.
Crypto phishing links are especially dangerous: victims who click them or transfer cryptocurrency to scammers typically have little to no chance of recovery.
Deceptive links lead email threats
Cloudflare reported that over half of malicious emails—52%—contained a deceptive link, making it the most common threat category.
Identity deception ranked second at 38%, up from 35% in 2024, as attackers increasingly impersonated trusted individuals using spoofed domains, visually similar domains, or manipulated display names.
The report also highlighted the most abused top-level domain (TLD), with “.christmas” leading the pack: 92.7% of emails from this TLD were malicious, and 7.1% were spam.
Other frequently exploited domain extensions included “.lol,” “.forum,” “.help,” “.best,” and “.click.”
One in four HTML attachments found to be malicious
Earlier this year, cybersecurity firm Barracuda analyzed 670 million emails classified as malicious or spam and confirmed that email remains the most common attack vector for cyber threats. Malicious attachments and links are frequently used to spread malware, launch phishing campaigns, and exploit system vulnerabilities.
The analysis found that as many as one in four emails were unwanted spam, a quarter of all HTML attachments were malicious, and 12% of malicious PDF attachments were linked to Bitcoin scams.
Similarly, Hornet Security reported in November that email continued to be a “consistent delivery vector” for cyberattacks in 2025, with malware-laden emails increasing 131% year-over-year.
