Check Point Research: Microsoft Remains the Most Imitated Brand in Phishing Attacks in Q4 2025, as Technology and Social Media Platforms Continue to Dominate 

Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a pioneer and global leader of cyber security solutions, today released its Brand Phishing Ranking for Q4 2025. The latest findings show that Microsoft once again ranked as the most impersonated brand, appearing in 22% of all phishing attempts during the quarter. This continues a multiquarter trend in which attackers systematically abuse widely used enterprise and consumer platforms to steal credentials and gain initial access. 

Google (13%) and Amazon (9%) followed in second and third place respectively, with Amazon’s rise driven largely by Black Friday and holidayseason activity. After several quarters of absence, Facebook (Meta) reentered the global top 10, landing in fifth place, signaling increased attacker interest in socialmedia account takeover and identity theft. 

Omer Dembinsky, Data Research Manager at Check Point Research, says: “Phishing campaigns are becoming increasingly sophisticated, leveraging polished visuals, AIgenerated content, and highly convincing domain lookalikes. The fact that Microsoft and Google remain the top targets shows how valuable identitybased access has become for attackers. Meanwhile, the return of brands like Facebook and PayPal underscores how cybercriminals adapt quickly, shifting toward platforms where trust and urgency can be exploited. To counter these evolving tactics, organizations must adopt a preventionfirst approach that combines AIdriven detection with strong authentication and continuous user awareness.” 

Top 10 Most Imitated Brands in Q4 2025 

1. Microsoft – 22% 

2. Google – 13% 

3. Amazon – 9% 

4. Apple – 8% 

5. Facebook (Meta) – 3% 

6. PayPal – 2% 

7. Adobe – 2% 

8. Booking – 2% 

9. DHL – 1% 

10. LinkedIn – 1% 

The persistent dominance of Microsoft and Google reflects their essential role in identity, productivity, and cloud services—making associated credentials particularly valuable to cybercriminals. 

Phishing Campaigns Observed in Q4 2025 

Roblox: Phishing Targeting Children and Gamers 

In Q4 2025, CPR identified a Roblox-themed phishing campaign observed via user browsing activity. The malicious site was hosted at a lookalike domain, robiox[.]com[.]af, differing from the legitimate roblox.com by a subtle letter substitution. 

Fraudulent Roblox Game Page 

The landing page presented a fake Roblox game titled “SKIBIDI Steal a Brainrot”, complete with realistic visuals, ratings, and a prominent “Play” button. The content closely mimicks one of the most popular games currently on the Roblox platform and was clearly designed to appeal to children—a core segment of the platform’s user base. 

Fraudulent Roblox Login Page 

When users attempted to access the game, they were redirected to a second-stage phishing page that replicated the official Roblox login interface. Credentials entered on the page were silently harvested, while the user remained on the same screen with no visible indication of compromise. 

Netflix: Account Recovery as a Lure 

Fraudulent Netflix Page 

CPR also identified a Netflix-impersonation phishing site, hosted at netflix-account-recovery[.]com (currently inactive). The domain was registered in 2025, in contrast to the legitimate netflix.com, which dates back to 1997. 

Legitimate Netflix Page (netflix.com/LoginHelp) 

The phishing page closely mirrored Netflix’s official login and account recovery interface, prompting users to enter their email address or mobile number and password. The objective was straightforward: credential harvesting for account takeover, potentially enabling resale or further fraud. 

Facebook (Meta): Localized Credential Theft 

Fraudulent Facebook (Meta) Page 

In another campaign observed during Q4 2025, CPR detected a Facebook-themed phishing page delivered via email and hosted on facebook-cm[.]github[.]io. The page impersonated Facebook’s login portal and was presented entirely in Spanish, using familiar branding, layout, and authentication prompts. Users were asked to enter their email address, phone number, and password, which were subsequently harvested by the attackers to enable unauthorized account access and potential downstream abuse. 

Why Brand Phishing Continues to Succeed 

Brand phishing remains effective because it leverages user trust in familiar digital services. Attackers increasingly rely on: 

• Lookalike domains with subtle character changes 

• Professionally designed pages mimicking real login flows 

• Multistage deception paths that appear legitimate 

• Emotional triggers such as urgency, reward, or brand familiarity 

As identity becomes the core attack surface in today’s clouddriven environments, phishing continues to serve as a key initial access vector for both consumer fraud and enterprise breaches.