Every organization with an email inbox faces the same entry-level threat that has topped breach reports for years: a convincing phishing message that tricks one employee into clicking a malicious link or opening a weaponized attachment. The Cybersecurity and Infrastructure Security Agency, working with the FBI, has tied phishing directly to the operations of the BlackSuit ransomware actor in joint advisory AA23-061A. Separately, the European Union Agency for Cybersecurity found in its Threat Landscape 2025 edition, covering incidents from July 2024 through June 2025, that phishing and related social engineering remain prominent attack vectors across a broad set of breaches. The persistence of this single tactic, despite years of awareness campaigns and filter technology, signals a gap between the defenses most companies deploy and the speed at which attackers adapt their lures.
Why phishing still opens the door for ransomware operators
Phishing works because it targets human judgment rather than software vulnerabilities. A well-crafted email can bypass perimeter controls entirely when a recipient voluntarily hands over credentials or executes a file. CISA and the FBI documented this dynamic in their BlackSuit advisory, identifying phishing as among the most successful initial access vectors used by the group. Once inside, the attacker moves laterally, escalates privileges, and deploys encryption tools, often within hours. The advisory makes clear that the chain from inbox to full network compromise can be short and devastating.
The cost falls on real businesses and their employees. Ransomware incidents triggered by a single phishing email can shut down operations for weeks, expose sensitive customer data, and generate recovery bills that strain even well-funded organizations. Legacy email filters, which rely on known-bad signatures and domain reputation lists, catch many bulk campaigns but routinely miss targeted spear-phishing messages crafted for a specific recipient. That gap has led security teams to consider layered approaches that combine AI-driven sandboxing of inbound attachments with mandatory callback verification for any message requesting credentials, wire transfers, or software installations.
A reasonable working hypothesis is that enterprises adopting both AI-driven email sandboxing and callback verification could see a significant drop in confirmed ransomware intrusions compared with peers relying solely on legacy filters. No publicly available before-and-after dataset from CISA or ENISA currently quantifies that reduction at a specific percentage, so the claim cannot yet be confirmed with primary evidence. What the advisory record does confirm is that organizations still depending on signature-based filtering alone remain exposed to the exact techniques BlackSuit and similar groups exploit.
CISA and ENISA findings that anchor the phishing threat
Two authoritative bodies have independently reached the same conclusion about phishing’s dominance as an initial access method. CISA’s ransomware guide explicitly lists phishing as a core initial access vector within its playbooks, treating the tactic as a default assumption for incident responders. The guide serves as the U.S. government’s primary reference document for organizations building or auditing their ransomware defenses, and its placement of phishing at the top of the access-vector list reflects operational data gathered from real incidents reported to federal agencies.
Across the Atlantic, the European Union Agency for Cybersecurity published its Threat Landscape 2025 edition after analyzing incidents recorded between July 2024 and June 2025. That ENISA overview found that phishing and related social engineering remain prominent attack vectors, consistent with CISA’s findings. The convergence of U.S. and European agency conclusions, drawn from separate incident pools and analytical methods, strengthens the case that phishing is not a regional problem or an artifact of one reporting pipeline. It is a global constant.
The BlackSuit advisory adds operational detail. CISA and the FBI noted that phishing is among the most successful vectors the group uses, and the advisory references third-party reporting that reinforces phishing’s frequency as an entry point. The advisory does not, however, supply primary telemetry or victim counts, which means the precise scale of BlackSuit phishing operations remains partially opaque. What is documented is the tactic’s effectiveness: once a phishing email delivers initial access, BlackSuit operators follow a well-rehearsed playbook to encrypt systems and demand payment.
Gaps in the data and what defenders should watch next
Despite the strength of the institutional consensus, several questions remain unanswered. Neither CISA nor ENISA has published granular success-rate percentages showing how often phishing emails convert into confirmed breaches versus how often they are caught before damage occurs. Without that ratio, security teams cannot benchmark their own detection rates against a national or international baseline. The ENISA Threat Landscape 2025 edition covers a full year of incidents but does not break out quantitative totals by vector in the summaries available at the time of the report, limiting the ability to track year-over-year trends with precision.
Direct statements from affected companies confirming phishing as the specific entry point are also absent from the primary sources reviewed here. Victim organizations rarely disclose the initial access method publicly, and federal advisories aggregate findings without naming individual targets. That anonymity protects victims from reputational harm and potential follow-on extortion, but it also leaves defenders with an incomplete picture of how specific phishing techniques map to particular sectors, company sizes, or technologies in use.
Another limitation is the lack of standardized taxonomy for what counts as phishing in official reporting. Some incidents are clearly email-based credential theft, while others blend messaging platforms, fake support calls, or malicious QR codes into multi-step social engineering chains. Without consistent labeling, security teams may struggle to align their internal incident categories with those used by CISA and ENISA, complicating attempts to compare local data with national or regional trends.
Defenders should watch for future advisories that provide more granular breakdowns of initial access by technique, as well as any moves toward anonymized sharing of phishing conversion rates. Even approximate ranges, segmented by industry or organization size, would help security leaders prioritize investments in user training, email security tooling, and incident response playbooks. Until then, organizations must rely on qualitative guidance from current advisories and their own internal telemetry to gauge whether their controls are keeping pace with attacker innovation.
Practical steps to narrow the phishing window
In the absence of perfect data, organizations can still act on the clear direction provided by CISA and ENISA. At a minimum, email defenses should extend beyond signature-based filters to include behavioral analysis of attachments and links, blocking or sandboxing files that exhibit suspicious characteristics before they reach end users. Multi-factor authentication should be enforced on all remote access points and critical applications so that stolen passwords alone cannot grant an attacker full control.
User awareness training remains necessary but should be grounded in realistic simulations and clear escalation paths. Employees need to know not only how to spot a suspicious message but also exactly how to report it and what the organization will do in response. Clear policies around high-risk requests-such as changes to payment details, software installation prompts, or urgent password resets-can normalize the expectation that such actions require out-of-band verification.
Finally, incident response plans should assume that at least some phishing attempts will succeed. Regular tabletop exercises based on scenarios like those described in the BlackSuit advisory can help teams practice rapid containment, forensic preservation, and communication with stakeholders. By treating phishing as an inevitable pressure on the perimeter rather than a failure of individual employees, organizations can shift their focus toward resilience: limiting the blast radius when an attacker does slip through the inbox and preventing a single click from turning into a full-scale ransomware crisis.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
