For years, the dominant narrative in enterprise security has been simple: secure your email and you’ve addressed the primary threat. That logic was sound, but it no longer is.
Two fundamental shifts happened in 2025 that most organizations missed. Together, they have quietly outpaced the defenses many companies believe are protecting them.
The Ad Network Is Now the Malware Network
According to a recent report by digital safety firm The Media Trust, drawing on 200 billion ads monitored monthly across 100,000+ digital properties, programmatic advertising surpassed email as the primary malware delivery channel in 2025, accounting for more than 60% of all observed malware and phishing campaigns. Ad-delivered malware grew 45% year-over-year.
This is not a marginal trend. The ad supply chain is code execution infrastructure. Every time an employee loads a webpage, dozens of third-party JavaScript calls execute in their browser, traversing multiple ad exchanges in milliseconds. Once a malicious script enters that supply chain, it propagates across thousands of websites simultaneously with no click required. Drive-by compromise executes on page load.
AI is accelerating this further, enabling adaptive malware that changes behavior based on browser, device, and location. Losses tied to ad-borne malware and fraud exceeded $12.5 billion in 2025 in the US alone.
Every employee browsing the web is a potential entry point. Your next incident may trace back to someone reading a trade publication at their desk.
Email Threats Have Evolved. Spam Is No Longer the Story.
Spam and malware attachments are not gone, but they are no longer the dominant email threat. Modern attackers have moved to three patterns that conventional filters largely miss:
Credential theft. Phishing-as-a-Service kits like Tycoon2FA and EvilProxy automate MFA bypass through adversary-in-the-middle proxying. Account compromise surged 389% in 2025. Once credentials are captured, attackers can establish inbox forwarding rules in under 5 minutes.
Business Email Compromise (BEC). BEC losses reached $2.7 billion in 2024, with attacks up 15% in 2025. There is no malware, no malicious link. Just a fraudulent wire transfer request that looks exactly like one from your CFO. 79% of companies faced at least one BEC attack in the past year.
Conversation hijacking. After compromising a legitimate account, attackers monitor active financial threads and insert themselves at the critical moment. No gateway flags it because the email originates from a real, trusted address inside a real thread.
This does not make the Email Security Gateway obsolete. It makes it more essential than ever. A properly configured ESG with behavioral analysis, BEC detection, and anomaly-based rules remains a critical layer of defense.
The Blind Spot: Encrypted Traffic
Both threats share a common enabler. Malvertising payloads, phishing pages, C2 callbacks, and data exfiltration all travel over HTTPS. Most organizations have no visibility into this traffic.
This is the TLS inspection gap. Firewalls and SIEM platforms are bypassed because encrypted traffic passes through uninspected. Attackers rely on this. Without TLS decryption at the perimeter or on the endpoint, your security stack is effectively blind to 95% of active traffic.
If you are not doing TLS inspection today, you are not doing security. You are doing compliance theater.
What Should You Do?
At ZENDATA, we regularly work with organizations that experienced significant incidents and were, by every formal standard, compliant. They had gateways, firewalls, and passed their last audit.
Compliance frameworks lag the threat landscape by design. The shift to ad-delivered malware and BEC-focused attacks happened faster than any framework revision cycle.
Being compliant is not the same as being secure. The gap between the two is exactly where attackers operate. If you have not reviewed your TLS inspection coverage and your ESG configuration in the past 12 months, you are operating on assumptions that no longer hold.
ZENDATA’s Managed Security Services with its MDR and SOC cover TLS inspection blind spots, BEC exposure, credential theft risk, and malvertising attack surface across your actual infrastructure.
Reach out at info@zendata.security
References: The Media Trust 2026 Intelligence Report / eSentire 2026 Threat Landscape Report / LevelBlue SpiderLabs BEC Trends 2025 / FBI IC3 / Hoxhunt Phishing Trends Report.
