Microsoft flags 8.3 billion phishing emails in Q1 2026 

QR code phishing grew 146% in three months, CAPTCHA-gated attacks hit their highest monthly volume in a year, and business email compromise generated 10.7 million incidents, all while attackers shifted the dangerous part of the attack further away from the email itself.

What happened

Microsoft Threat Intelligence detected approximately 8.3 billion email-based phishing threats in Q1 2026, according to the company's Q1 2026 email threat landscape report published April 30. Monthly volumes declined slightly from 2.9 billion in January to 2.6 billion in March, but the composition of attacks shifted materially. QR code phishing grew from 7.6 million attacks in January to 18.7 million in March, a 146% increase over the quarter, making it the fastest-growing attack vector Microsoft tracked. CAPTCHA-gated phishing surged 125% in March to 11.9 million attacks, the highest monthly volume in a year. Credential theft was the objective behind 94% of payload-based attacks by the end of the quarter. Microsoft also recorded 10.7 million business email compromise (BEC) attacks across Q1, with generic conversational messages such as "are you at your desk?" accounting for 82 to 84% of initial contact emails each month.

Going deeper

Two large campaigns during the quarter illustrate the scale individual operations can reach. Between February 23 and 25, a single SVG attachment campaign delivered 1.2 million messages to more than 53,000 organizations across 23 countries, using lures including 401k updates, unpaid invoices, and credit hold warnings. On March 17, an HTML attachment campaign sent 1.5 million confirmed malicious messages to 179,000 organizations in 43 countries, with final phishing endpoints spread across multiple phishing-as-a-service (Phaas) platforms, including Tycoon2FA, Kratos, and EvilTokens. According to SC World, 70% of QR code phishing was delivered via PDF attachments by March, with QR codes embedded directly in email bodies surging 336% as attackers eliminated the attachment step entirely. Tycoon2FA's share of CAPTCHA-gated phishing infrastructure fell from over 75% at the end of 2025 to 41% by March, not because the technique became less effective, but because other operators adopted the same approach, spreading the capability across a wider set of tools and actors.

What was said

Microsoft Threat Intelligence and the Microsoft Defender Security Research Team stated in their report that "the most significant shift in Q1 2026 was the rapid escalation of QR code phishing, with attack volumes increasing from 7.6 million in January to 18.7 million in March, a 146% increase over the quarter." On Tycoon2FA's partial recovery after law enforcement disruption, Microsoft noted that "disruption displaced the threat rather than eliminating it," with the platform migrating domain registrations toward RU top-level domains and shifting away from Cloudflare hosting to alternative providers offering anti-analysis protections.

In the know

The Europol and Microsoft disruption of Tycoon2FA in early March 2026 provides the clearest illustration of how enforcement affects but does not eliminate PhaaS platforms. According to the Microsoft Security Blog, Tycoon2FA volume fell 15 percent in March following the action, with one-third of that month's volume concentrated in a narrow three-day window immediately after the disruption. The platform then adapted, rotating infrastructure and domain registrars rather than ceasing operations. The broader effect of the disruption may have contributed to CAPTCHA-gated phishing volume rising overall, as Tycoon2FA operators and kit buyers migrated to alternative platforms, expanding the technique's reach across the ecosystem rather than reducing it.

The big picture

The Q1 2026 data confirms a structural shift in how phishing campaigns are built. Attackers are moving the credential-harvesting step out of the email itself and into external infrastructure, accessed via QR codes that redirect to mobile browsers, CAPTCHA gates that block automated scanners, and hosted phishing pages served from legitimate cloud infrastructure. Each step is designed to place the dangerous content outside the inspection layer that email security tools operate in. For healthcare organizations specifically, the BEC finding carries direct operational weight: 82 to 84% of initial BEC contact emails are generic conversational messages with no explicit payment request, meaning filters trained to flag financial language will miss most of the opening moves. According to Paubox's 2026 Healthcare Email Security Report, 53% of breached healthcare organizations in 2025 used Microsoft 365, making Microsoft's own telemetry on how these attacks are changing directly relevant to the platforms most healthcare IT teams are defending.

FAQs

Why are QR codes increasingly used in phishing emails?

QR codes encode the malicious URL as an image, which most email security tools cannot scan or resolve. The attack also moves the interaction to a personal mobile device, which typically sits outside the organization's security perimeter and monitoring coverage.

What is a CAPTCHA-gated phishing page, and why does it help attackers avoid detection?

A CAPTCHA challenge placed before the phishing page blocks automated security crawlers and sandboxes from reaching the malicious content, because those tools cannot solve the CAPTCHA. Only a human victim completes the challenge and reaches the fake login page, meaning the phishing URL passes reputation checks without triggering detection.

What does the decline in Tycoon2FA's market share actually mean for the threat landscape?

Tycoon2FA's share falling from 75 to 41% of CAPTCHA-gated infrastructure does not reflect a reduction in total CAPTCHA-gated phishing. The overall volume of that technique surged in Q1 2026. What changed is that more operators and competing kits adopted the same approach, spreading capability across a wider ecosystem rather than concentrating it in one platform.

Why do most BEC emails avoid mentioning money in the first message?

Opening with a neutral conversational message, such as confirming availability, avoids the financial language keywords that email security filters are trained to flag. The explicit payment or data request comes only after the target has replied and established a dialogue, at which point the conversation is already inside a trusted thread.

What authentication method does Microsoft recommend against AiTM phishing?

Microsoft recommends phishing-resistant MFA using FIDO2 hardware security keys or certificate-based authentication. Unlike SMS codes, authenticator app one-time passwords, or push notifications, FIDO2 authentication is cryptographically bound to the legitimate domain and cannot be intercepted or replayed by an adversary-in-the-middle platform.