Microsoft tops global phishing brand rankings again

Microsoft remained the most imitated brand in phishing attacks during the fourth quarter of 2025, according to data from Check Point Research, which tracked brand impersonation across phishing attempts globally.

The research unit said Microsoft accounted for 22% of all detected brand phishing attempts in the quarter. Google followed with 13% and Amazon with 9%. Apple ranked fourth with 8%.

Facebook returned to the global top 10 list in fifth place with 3%. PayPal, Adobe and Booking each recorded 2%. DHL and LinkedIn each recorded 1%.

Tech platforms

The ranking continued a pattern in which attackers imitate widely used consumer and workplace services. The research described this as a multi-quarter trend and linked it to attempts to steal credentials and gain initial access to accounts.

Amazon’s position reflected seasonal activity around major retail events. The research group attributed its rise in the ranking to Black Friday and the holiday shopping period.

Check Point Research said the repeated appearance of Microsoft and Google at the top of the ranking reflected the value of identity credentials associated with productivity and cloud services. It said cyber criminals seek access that can lead to further compromise of consumer and corporate accounts.

Shifting targets

Facebook’s re-entry into the top 10 followed several quarters outside the list. The research group linked the move to increased attention on social media accounts and identity theft.

Check Point Research said attackers adapt quickly and switch between brands that carry high levels of user familiarity and trust. It said brands connected to payments, travel and logistics also featured in the top 10 during the quarter.

One of the observed campaigns focused on Roblox and used a lookalike domain that replaced a letter in the legitimate brand name. Check Point Research said the site appeared through user browsing activity.

The landing page presented a Roblox-themed game page with a title, ratings and a “Play” button. Check Point Research said the visuals looked realistic and resembled popular content on the platform.

The research group said the campaign used a second-stage page that replicated the official Roblox login interface. It said the site harvested credentials entered by users and did not provide clear feedback that an account had been compromised.

Streaming lure

Another campaign impersonated Netflix and focused on account recovery. Check Point Research said the phishing site used the domain netflix-account-recovery[.]com, which it said was inactive at the time of its disclosure.

Check Point Research said the phishing page mirrored Netflix’s login and account recovery flow. It prompted users to enter an email address or mobile number, plus a password. The research group said attackers sought credentials for account takeover and potential downstream fraud.

Localised email

Check Point Research also described a Facebook-themed phishing page hosted on facebook-cm[.]github[.]io. It said attackers delivered the page via email and presented it in Spanish.

The research group said the page impersonated Facebook’s login portal and asked for an email address, phone number and password. It said attackers harvested the information for unauthorised access and later abuse.

Common tactics

Check Point Research said brand phishing continues to succeed because it exploits familiarity with digital services. It cited lookalike domains with subtle character changes, professionally designed pages that mimic real login flows, and multi-stage paths that appear legitimate.

The research group also pointed to emotional triggers in messaging. It listed urgency, reward and brand familiarity as common levers used in such campaigns.

“Phishing campaigns are becoming increasingly sophisticated, leveraging polished visuals, AI-generated content, and highly convincing domain lookalikes. The fact that Microsoft and Google remain the top targets shows how valuable identity-based access has become for attackers. Meanwhile, the return of brands like Facebook and PayPal underscores how cybercriminals adapt quickly, shifting toward platforms where trust and urgency can be exploited. To counter these evolving tactics, organizations must adopt a prevention-first approach that combines AI-driven detection with strong authentication and continuous user awareness,” said Omer Dembinsky, Data Research Manager, Check Point Research.

Check Point Research said identity remained a key attack surface in cloud-driven environments and described phishing as a common initial access route for consumer fraud and enterprise breaches.