Email threat landscape: Q1 2026 trends and insights

Illustration of email threats: QR codes, CAPTCHA pop-ups, malicious links, and disrupted phishing infrastructure

During the first quarter of 2026, email-based threats remained pervasive and dynamic. Microsoft Threat Intelligence recorded roughly 8.3 billion phishing messages across January–March, with monthly volumes edging down from about 2.9 billion in January to 2.6 billion in March. While total volume showed only slight decline, the quarter revealed important shifts in delivery mechanisms and attacker behavior: link-based attacks dominated, QR code phishing accelerated rapidly, CAPTCHA-gated campaigns resurged with new payload tactics, and disruption efforts temporarily disrupted large phishing-as-a-service infrastructure. These trends underscore both the adaptability of attackers and the value of coordinated disruption, detection tuning, and user-focused defenses.

Quarterly snapshot and delivery trends

78% of the email threats observed in Q1 were link-based, while payload-driven attacks accounted for a shrinking share over the quarter: payloads made up 19% of attacks in January—buoyed by sizeable HTML and ZIP campaigns—before stabilizing at about 13% in February and March. This move toward hosted credential phishing infrastructure indicates that attackers increasingly favor remote credential-harvesting pages over locally rendered payloads. Overall phishing volumes were high but exhibited short-term variability driven by both operational changes among threat actors and targeted enforcement actions.

Tycoon2FA disruption and infrastructure shifts

Tycoon2FA, a prominent phishing-as-a-service (PhaaS) platform that leverages adversary-in-the-middle techniques to bypass non-resistant MFA, was a major actor in recent months. After a period of reduced activity starting January, Tycoon2FA volumes surged in February and then fell by about 15% in March following coordinated disruption operations led by Microsoft’s Digital Crimes Unit with law enforcement and partners. The disruption curtailed hosting capabilities and reduced access to active phishing pages, concentrating a significant share of March’s volume in a narrow three‑day window.

In response, Tycoon2FA and similar operators adapted their infrastructure rapidly. During Q1 many Tycoon2FA domains shifted toward new generic TLDs (.DIGITAL, .BUSINESS, .COMPANY, etc.), and by late March there was a notable uptick in .RU registrations—over 41% of Tycoon2FA domains since the last week of March. Operators also moved away from previously common hosting protections like Cloudflare and began exploring alternative providers that offer anti-analysis protections. These shifts demonstrate how enforcement can disrupt operations temporarily, but also prompt rapid migration and hunter‑seeker behavior from attackers.

QR code phishing surges

QR codes emerged as one of the fastest-growing attack vectors in Q1. Volumes rose from about 7.6 million in January to 18.7 million in March, a 146% increase over the quarter. PDF attachments were the dominant delivery method for QR-based phishing—rising from 65% of QR deliveries in January to 70% in March—while DOC/DOCX attachments increased in absolute volume though declined as a share of QR deliveries (31% to 24%). A late-quarter development was a dramatic increase in QR codes embedded directly in email bodies, which surged 336% in March, eliminating the need for attachments and making detection harder for text-focused scanners.

These campaigns exploit the difficulty many traditional email scanners have in extracting and resolving URLs embedded inside images, especially when those images redirect to credential-collection pages designed for mobile devices. Defenders should prioritize scanning and sandboxing of attachments and images, and apply user training specifically about scanning QR codes from email messages.

CAPTCHA-gated phishing evolves

CAPTCHA-gated phishing—where users are asked to complete a CAPTCHA as a decoy before reaching malicious content—rebounded sharply in March, more than doubling to 11.9 million attacks and reaching its highest monthly volume in at least a year. Attackers use fake CAPTCHAs to hinder automated detection and to increase human interaction, sometimes weaponizing them in social-engineering flows that trick victims into executing commands (ClickFix attacks).

Delivery methods rotated aggressively: HTML attachments began the year as a top vector, dipped in February, then rose again in March; SVG files spiked in February but fell 57% in March; PDFs saw an enormous rise (+356% in March) after months of decline; and DOC/DOCX deliveries jumped roughly +373% in March, accounting for about 15% of CAPTCHA-gated payloads. This instability indicates attackers are actively experimenting to find the best payload formats to bypass defenses, and shows that CAPTCHA-gated tactics are spreading beyond a single kit or operator—Tycoon2FA’s share of CAPTCHA-gated sites fell to around 41% in March as other actors adopted similar methods.

Business Email Compromise and emerging techniques

Business Email Compromise (BEC) continued to be a significant threat, with approximately 10.7 million BEC incidents reported during the quarter. Much of this activity remains low-effort, generic outreach that nevertheless succeeds against poorly hardened processes and insufficiently verified workflows. Meanwhile, Microsoft observed early signs of newer credential-theft approaches such as device code phishing—sometimes facilitated by tools like EvilTokens—and other AiTM techniques that attempt to manipulate modern authentication flows. These methods are not yet as widespread as QR or CAPTCHA campaigns, but they represent an important escalation in sophistication that defenders must monitor.

What defenders should do

Harden authentication: Prioritize phishing-resistant MFA (hardware security keys, platform authenticators) and reduce reliance on OTPs vulnerable to AiTM attacks.
Strengthen email-layer defenses: Tune link‑analysis and image extraction to detect QR‑embedded URLs, enable attachment sandboxing for PDFs, DOC/DOCX, SVG, and HTML payloads, and block known malicious TLD patterns and freshly minted domains common to PhaaS infrastructure.
Enforce anti-phishing policies and automated protections: Use advanced threat protection features that inspect attachments and image contents, and apply safe‑link and safe‑attachment controls.
Improve detection content: Watch for rapid shifts in payload formats and TLD patterns (e.g., sudden increases in .RU or generic TLDs) and adjust detection rules to cover emerging payload distributions like email‑embedded QR codes and CAPTCHA gating.
User-focused defenses: Train users not to scan QR codes from unsolicited emails, verify transaction requests through established channels, and beware of CAPTCHA prompts that request actions that bypass normal verification steps.
Collaborate for disruption: Share intelligence with law enforcement and industry partners—coordinated takedowns and disruption operations can materially reduce campaign effectiveness, even if attackers attempt rapid recovery.

Microsoft Defender detections and response

Microsoft Defender telemetry observed the trends described above and has detections and mitigations tuned to identify link-based credential harvesting, malformed attachments, AiTM provisioning, and emerging QR/CAPTCHA techniques. Security teams should apply Microsoft Defender for Office 365 protections, keep detection content updated, and leverage threat intelligence to block known malicious infrastructures and to proactively hunt for indicator patterns described in Q1.

Conclusion

Q1 2026 shows a dual story: attackers rapidly iterating on delivery formats—favoring QR codes, experimenting with CAPTCHA gating, and migrating hosting patterns—while defenders and enforcement actions can still meaningfully disrupt operations. The evolving payload tactics and increasing use of image-based delivery highlight the need for layered defenses that include phishing-resistant authentication, advanced content inspection for attachments and images, and continual tuning of detection rules based on telemetry. As attackers test new evasion strategies, defenders who combine technical controls, user education, and coordinated disruption will be better positioned to reduce phishing success across enterprises.