Netskope
Threat Labs Report: Japan 2025

The Netskope Threat Labs Report series aims to provide strategic, actionable intelligence on active threats. This report focuses on organizations operating in Japan.

JAPAN
2025

Introduction Personal App Risk Generative AI Risk Social Engineering Risk Recommendations Netskope Threat Labs About This Report

10 min read

Introduction

Japanese organizations have generally been very successful compared to their counterparts in other parts of the world in reducing certain cybersecurity risks, including generative AI, personal app, and social engineering risks. This report highlights the strategies used by organizations operating in Japan to limit these risks, with the following highlights:

Personal App Risk – While personal app use is just as rampant in Japanese enterprises as in the rest of the world, strict policies regarding uploading, posting, or otherwise sending data to personal apps have successfully limited the user population doing so to only 9% (compared to 26% in the rest of the world), with intellectual property being the top concern.
Generative AI Risk – Japanese enterprises use real-time coaching and other policies to mitigate genAI app risk, resulting in only 1.4% of the average organizational user population using genAI apps, compared to a global average of 7.8%.
Social Engineering Risk – Social engineering is rising in Japan, where twice as many users are clicking on phishing links compared to one year ago, and attackers targeting cloud apps with phishing campaigns and abusing cloud apps to distribute malware.

test answer

Personal App Risk

Personal app use is rampant in Japan, with 84% of people regularly using personal apps in the workplace, just below the global average of 88%. However, only 9% of people regularly upload, post, or otherwise send data to personal apps each month, far below the global average of 26%. The top personal apps to which they are sending data mirror global trends and include cloud storage (Google Drive, Box, OneDrive), calendar (Google Calendar), social media (Facebook, Twitter/X, LinkedIn), email (Gmail), generative AI (ChatGPT) and note-taking apps (Keep). Personal instances of each of these apps are in use in the overwhelming majority of organizations in Japan, as illustrated in the figure below.

Netskope Threat Labs Report - Japan 2025 - Top apps for upstream activities to personal apps

While the overwhelming majority of people in Japan use personal apps, organizations there have generally been very successful in applying real-time policies to limit the amount of data flowing into personal apps. Nearly 100% of Japanese organizations have policies in place to restrict how personal apps can be used, employing a variety of different strategies as described below.

Explicit Blocks
Nearly three-quarters (73%) of organizations in Japan have activity-level policies to explicitly block upstream activities like upload, post, and send in personal apps. These explicit block policies are often applied specifically to personal cloud storage apps (e.g., Box, Google Drive, Microsoft OneDrive), personal webmail apps (e.g., Gmail, Yahoo Mail), generative AI apps (e.g., ChatGPT), and social media apps (e.g., Facebook, LinkedIn, Twitter/X).

Real-Time Coaching
Nearly one-half (49%) of organizations in Japan leverage real-time coaching to reduce personal app risk. Real-time coaching helps users make informed decisions about data security by empowering the individual–who typically understands the data and business content–to make the right decision. In this case, the coaching prompt appears when the user tries to upload data to a personal app and reminds them of company policy regarding personal apps. The reason coaching is so effective at limiting personal app use is that users rarely (only 27% of the time) choose to proceed when presented with a coaching prompt. The other 73% of the time, the user decides not to continue with their risky behaviour and finds a safer route to achieve their goal.

Data Loss Prevention (DLP)
More than one-third (35%) of organizations in Japan apply DLP policies to personal apps to reduce risk. The figure below shows the breakdown of the types of data users attempt to upload to personal apps in violation of company policies, with intellectual property accounting for two-thirds of the violations, followed by regulated data (such as personal, financial, or healthcare data).

Netskope Threat Labs Report - Japan 2025 - Data policy violations for personal apps

Generative AI Risk

Although genAI app use is widespread in Japan, with 89% of organizations using genAI today compared to just 72% one year ago and still trending upward, its adoption in the country has been much more measured than in other parts of the world where 94% of organizations now use genAI apps.

Netskope Threat Labs Report - Japan 2025 - Organizations using genAI Apps

Fewer people are using genAI apps and fewer apps are in use in Japan compared to global averages. The median percentage of people within each organization using genAI apps has grown from just 0.25% one year ago to 1.4% today, as illustrated below. While this is a 5-fold year-over-year increase, the percentage of users lags far behind the global average of 7.8%. Furthermore, even the most aggressive organizations with the highest adoption in Japan still lag behind the global average. For example, the top 25% of Japanese organizations have 6.1% of their user population using genAI apps, which is still 1.7 points behind the global average. Over the same time period, the average number of genAI apps used within each organization in Japan held steady at 2.8, while the global average increased to 9.6 and continues to climb.

Netskope Threat Labs Report - Japan 2025 - GenAI users per month median percentage with shaded area showing 1st and 3rd quartiles

The most popular genAI app in Japan is ChatGPT by a wide margin, followed by Google Gemini, with both apps making modest gains in the past year. Perplexity AI and Microsoft Copilot were the biggest gainers of the year, each with more than a 20 point increase in popularity that has propelled them into third and fourth place, respectively. Going into 2025, most of the top apps appear to have lost their upward momentum, while some of the newer apps continue to gain more organizational adoption.

Netskope Threat Labs Report - Japan 2025 - Most popular apps by percentage of organizations

Organizations in Japan have slowed the adoption of genAI apps relative to the rest of the world using the same techniques they use to reduce personal app risk: explicit blocks, real-time coaching, and DLP. While organizations in Japan use app-level block policies and data loss prevention (DLP) policies to safeguard genAI use at rates comparable to global averages, more than half (51%) are using real-time coaching for genAI, compared to the global average of 34%. Coaching is effective for genAI risk reduction for the same reason it is effective at personal app risk reduction: 73% of the time that are provided with a coaching prompt, they choose not to proceed with risky behaviours and find alternative safer routes to their goal. Users attempting to send intellectual property to genAI apps account for the overwhelming majority of violations in organizations using DLP to reduce genAI risk, indicating that protecting intellectual property from disclosure to genAI apps is a top concern for organizations in Japan.

Netskope Threat Labs Report - Japan 2025 - Type of data policy violations for genAI apps

Social Engineering Risk

Social engineering is a popular tool among everyone from well-resourced and sophisticated geopolitical and criminal groups to low-level ransomware affiliates, cybercrime gangs, and other attackers. Attackers use phishing, pretexting, malware, deepfakes, and other tactics to manipulate individuals working in target organizations. Social engineering succeeds when the attacker is able to gain trust, scare, or manipulate their victims into taking actions that compromise security.

Among the most common social engineering tactics in Japan are phishing and tricking victims into downloading and executing malware. One of the most common techniques for distributing malware is to use popular cloud apps to exploit implicit and explicit trust that has been placed in those apps. Malware download attempts from cloud apps occur in 76% of organizations each month, with 1 out of every 1,000 users attempting to download malware each month.

Phishing is even more common, with 3.7 out of every 1,000 users clicking on a phishing link every month. The rate at which users click on phishing links is also growing rapidly, with two times as many users clicking on phishing links now compared to one year ago. The majority of phishing links clicked by users in Japan targeted cloud applications, commonly targeting Apple, Google, and Microsoft credentials. Phishing attacks targeting banking information are in a distant second place, representing only 21% of the total clicks.

Netskope Threat Labs Report - Japan 2025 - Top phishing targets by links clicked

Phishing attacks typically involve other strategies like traffic redirectors and search engine optimization (SEO). The following figure shows the top five referrers to phishing pages, with search engines at the top (driven by targeted SEO), followed by technology, marketing, news, and media sites (driven by traffic redirectors, malicious ads, and malicious comments), and file repositories (driven by malicious phishing payloads hosted there).

Netskope Threat Labs Report - Japan 2025 - Top web cloud categories referring phishing pages

Recommendations

Netskope Threat Labs recommends that organizations operating in Japan review their security posture to ensure that they are adequately protected against the social engineering risk, personal app risk, and generative AI risk trends highlighted in this report:

Inspect all HTTP and HTTPS traffic (cloud and web) for phishing, malware, and other malicious content. Netskope customers can configure their Netskope NG-SWG with a Threat Protection policy that applies to all traffic.
Ensure that high-risk file types, like executables and archives, are thoroughly inspected using static and dynamic analysis before downloading. Netskope One Advanced Threat Protection customers can use a Patient Zero Prevention Policy to hold downloads until fully inspected.
Block access to apps that do not serve any legitimate business purpose or pose a disproportionate risk to the organization. A good starting point is a policy to allow reputable apps currently in use while blocking all others.
Block downloads from apps and instances not used in your organization to reduce your risk surface to only those apps and instances that are necessary for the business.
Block uploads to apps and instances not used in your organization to reduce the risk of accidental or deliberate data exposure from insiders or abuse by attackers.
Use DLP policies to detect potentially sensitive information–including source code, regulated data, passwords and keys, intellectual property, and encrypted data–sent to personal app instances, genAI apps, or other unauthorized locations.
Employ real-time user coaching to remind users of company policy surrounding AI apps, personal apps, and sensitive data during interaction.
Leverage the responses to coaching prompts to refine and create more nuanced policies, ensuring that coaching remains targeted and effective and does not contribute to cognitive fatigue.
Regularly review AI app activity, trends, behaviors, and data sensitivity to identify risks to the organization and configure policies to mitigate those risks.
Use an Intrusion Prevention System (IPS) to identify and block malicious traffic patterns, such as command and control traffic associated with prevalent malware. Blocking this type of communication can prevent further damage by limiting the attacker’s ability to perform additional actions.
Use a behavior analytics platform to identify hidden threats, like compromised devices, compromised accounts, and insider threats. A behavior analytics platform can identify sophisticated and difficult-to-identify threats in your environment, like malleable (customized) command and control beacons from frameworks like Mythic and CobaltStrike.
Use Remote Browser Isolation (RBI) technology to provide additional protection when visiting websites that fall into categories that can present a higher risk, like newly observed and newly registered domains.

Netskope Threat Labs

Staffed by the industry’s foremost cloud threat and malware researchers, Netskope Threat Labs discovers, analyzes, and designs defenses against the latest cloud threats affecting enterprises. Our researchers are regular presenters and volunteers at top security conferences, including DEF CON, BlackHat, and RSA.

About This Report

Netskope provides threat protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope One platform relating to a subset of Netskope customers with prior authorization.

This report contains information about detections raised by the Netskope One Next Generation Secure Web Gateway (NG-SWG), not considering the significance of the impact of each individual threat. Stats in this report are based on the period starting December 1, 2023 through December 31, 2024. Stats reflect attacker tactics, user behavior, and organization policy.

Threat Labs Reports

In the monthly Netskope Threat Labs Report, you will find the top 5 malicious domains, malware, and apps that the Netskope Security Cloud platform blocked plus recent publications and a threat roundup.

Browse reports