Email security threats are escalating at an alarming rate. Microsoft detected approximately 8.3 billion email-based phishing threats in the first quarter of 2026, with QR code phishing emerging as the fastest-growing attack method.
The data comes from Microsoft Threat Intelligence and the Microsoft Defender Security Research Team, which tracked email attacks from January through March. This massive volume of threats shows cybercriminals are adapting their tactics, moving away from traditional malware attachments toward more sophisticated social engineering techniques that are harder for security systems to detect.
Link-based attacks dominate threat landscape
Link-based threats accounted for 78% of all phishing activity during the quarter. This represents a significant shift in attacker behavior, as malicious payloads dropped from 19% of attacks in January to just 13% in both February and March.
This trend suggests attackers increasingly rely on links to hosted phishing pages rather than files that render directly on victims’ devices. This approach helps criminals evade traditional email security filters that are better at scanning attachments than analyzing linked content.
Microsoft also recorded about 10.7 million business email compromise attacks during the same period. These campaigns remained largely text-based and typically began with generic opening messages designed to start conversations before making requests for money or sensitive documents.
QR code phishing explodes with 146% growth
The most concerning trend was the sharp rise in QR code phishing attacks. These grew from 7.6 million attacks in January to 18.7 million in March – a staggering 146% increase over just three months.
The growth pattern shows consistent acceleration:
- 59% increase in February
- 55% increase in March
- March volumes reached the highest monthly level in at least a year
PDF attachments remained the primary delivery method for QR code attacks, with their share rising from 65% in January to 70% in March. While DOC and DOCX files carrying malicious QR codes also increased in raw numbers, their percentage share dropped from 31% to 24%.
A notable shift occurred late in the quarter when attackers began placing QR codes directly in email bodies. This format jumped 336% in March, though it still represented only 5% of total QR code phishing volume.
QR code phishing presents a particular challenge because email security systems typically scan text and links more effectively than image-based content. By embedding malicious links inside QR codes, attackers can direct users to phishing sites through mobile devices that often fall outside corporate security controls.
CAPTCHA-gated attacks surge to record highs
CAPTCHA-gated phishing also showed dramatic changes throughout the quarter. After declining in January and February, these attacks more than doubled in March to 11.9 million – the highest level recorded in the past year.
Attackers actively experimented with different file types to find methods most likely to evade detection:
- HTML attachments started as the leading delivery method, declined mid-quarter, then rose again in March
- SVG files briefly became the main format in February before falling sharply
- PDF attachments showed the strongest growth, more than quadrupling in March
- DOC and DOCX files also climbed sharply
This pattern indicates active experimentation by phishing operators rather than reliance on any single successful format. Email-embedded URLs, once a major route for CAPTCHA-gated phishing, remained below late-2025 levels even after rebounding in March.
Major campaign targets global organizations
One significant campaign in late February delivered more than 1.2 million messages to users at over 53,000 organizations across 23 countries. The emails used themes including pension updates, payment warnings, and voice messages, carrying SVG attachments that opened browsers, displayed fake security checks, and then directed victims to counterfeit sign-in pages.
Tycoon2FA disruption shows enforcement impact
Microsoft highlighted successful disruption efforts against Tycoon2FA, a phishing-as-a-service platform linked to adversary-in-the-middle attacks. Email traffic associated with the platform fell 15% in March following action by Microsoft’s Digital Crimes Unit, Europol, and industry partners against its infrastructure.
The disruption had measurable effects:
- Almost a third of March volume was concentrated in just three days early in the month
- Daily activity for the rest of March fell below historical averages
- Access to live phishing pages also declined
However, the platform adapted quickly. During January and February, Tycoon2FA domains shifted toward newer generic top-level domains such as .digital, .business, and .company. After the March disruption, Microsoft observed a renewed move toward .ru registrations, with more than 41% of Tycoon2FA domains using that suffix from the final week of March onward.
Hosting patterns also changed as Tycoon2FA moved away from Cloudflare near the end of March and began distributing domains across a wider range of alternative services.
Credential theft remains primary objective
Credential theft continued as the main objective in file-based attacks. Credential phishing represented 89% of malicious payload attacks in January, rose to 95% in February, and remained at 94% in March. Traditional malware delivery accounted for just 5% to 6% of payloads by quarter’s end.
A separate HTML phishing campaign in March sent more than 1.5 million malicious messages to over 179,000 organizations in 43 countries. These emails impersonated routine business notifications including payment alerts, invoices, and document requests, using HTML attachments that redirected users through screening pages and CAPTCHA prompts before reaching fake sign-in portals.
Business email compromise shows steady growth
Business email compromise activity fluctuated throughout the quarter, rising 24% in January, dipping 8% in February, then increasing 26% in March. The composition remained broadly stable, with 82% to 84% of initial contact emails using generic messages such as asking whether recipients were at their desks.
Explicit requests for financial transactions or documents made up only 9% to 10% of BEC attacks. Within this smaller segment, payroll update requests rose in February, while gift card requests fell before rebounding in March, though they remained under 3% of total BEC volume.
The quarter demonstrated that threat actors are actively adjusting both the scale and delivery methods of email attacks. While the disruption of major phishing services like Tycoon2FA shows that coordinated law enforcement action can reduce the immediate effectiveness of criminal infrastructure, the rapid adaptation and continued growth of threats indicates that email security remains a critical challenge for organizations worldwide.