QR phishing reshapes Microsoft email threat map

Microsoft detected about 8.3 billion email-based phishing threats in the first quarter of 2026, exposing a sharp shift in attacker behaviour as criminal groups moved deeper into QR codes, fake CAPTCHA pages, phishing-as-a-service kits and file-based payloads to bypass conventional email defences.

The volume eased from about 2.9 billion threats in January to 2.6 billion in March, but the decline in headline numbers masked a more important change in tactics. Link-based threats dominated the quarter, accounting for 78 per cent of email attacks, while credential theft remained the core objective behind malicious payloads. Attackers increasingly favoured hosted phishing infrastructure over locally rendered payloads, making detection harder and allowing campaigns to be adjusted quickly.

QR code phishing emerged as the fastest-growing method. Attacks using QR codes rose from 7.6 million in January to 18.7 million in March, a 146 per cent increase across the quarter. The method has gained traction because QR codes can conceal malicious URLs inside images, email bodies or attachments, pushing victims towards fake sign-in pages on mobile devices that may not be managed by company security systems.

PDF attachments remained the main carrier for QR-code phishing, rising from 65 per cent of QR-code attacks in January to 70 per cent in March. DOC and DOCX files also carried more malicious QR codes in absolute terms, although their share slipped from 31 per cent to 24 per cent. A separate late-quarter shift saw QR codes embedded directly into email bodies jump by 336 per cent in March, signalling an effort to reduce dependence on attachments and exploit weaknesses in image and content scanning.

Fake CAPTCHA pages also expanded as an evasion device. CAPTCHA-gated phishing fell during January and February before more than doubling in March to 11.9 million attacks, the highest monthly level recorded over the previous year. These pages are used to delay automated analysis, reassure victims that a site is legitimate and, in some cases, guide users into executing malicious actions under the appearance of a routine verification step.

Attackers rotated file formats aggressively. HTML attachments began the quarter as the leading delivery route for CAPTCHA-gated phishing, SVG files briefly took the lead in February, and PDF files surged in March after rising more than fourfold from January’s low. DOC and DOCX files climbed almost five times in March and accounted for 15 per cent of payloads, underscoring how threat groups are testing which formats pass through corporate defences most reliably.

A major campaign between February 23 and February 25 sent more than 1.2 million messages to users at more than 53,000 organisations across 23 countries. The lures included 401 updates, credit hold warnings, payment questions, overdue invoice requests and voice message notifications. Another large HTML phishing campaign on March 17 generated more than 1.5 million confirmed malicious messages aimed at over 179,000 organisations in 43 countries.

Phishing-as-a-service infrastructure continued to shape the threat landscape. Tycoon2FA, tracked as Storm-1747, has become one of the more prominent platforms by leasing infrastructure and selling kits that imitate enterprise sign-in pages. Its adversary-in-the-middle techniques are designed to steal credentials and session tokens, threatening accounts even where non-phishing-resistant multifactor authentication is in use.

Disruption activity in early March reduced Tycoon2FA-linked email volume by 15 per cent during the rest of the month and impaired access to active phishing pages. The group adapted by shifting hosting providers and domain patterns, with more than 41 per cent of associated domains using. RU registrations from the final week of March. Its movement away from Cloudflare towards a wider mix of hosting services suggests an attempt to rebuild anti-analysis protections and restore campaign resilience.

Business email compromise remained a significant threat, with about 10.7 million attacks detected in the quarter. The pattern shifted from familiar gift-card scams towards payroll and tax-themed approaches, particularly during February, reflecting seasonal opportunities around employee records, salary processes and financial reporting.