Microsoft: QR code, CAPTCHA-gated phishing more than double in Q1 2026 | news | SC Media - SC Media

Microsoft published insights into the Q1 2026 email threat landscape on Thursday, noting a more than two-fold increase in QR code and CAPTCHA-gated phishing attacks between January and March. The company detected about 8.3 million email-based phishing attacks throughout Q1, with 78% being link-based and 94% targeting credentials by the end of March. QR code phishing was identified as the fastest-growing email phishing vector, with a 146% increase from 7.6 million attacks in January to 18.7 million in March. “By the end of the quarter, QR code phishing had reached its highest monthly volume in at least a year,” Microsoft Threat Intelligence and the Microsoft Defender Security Research Team wrote. As of March, most malicious QR codes were delivered via PDF attachments (70%) or DOC/DOCX files (24%). While QR codes embedded directly into email bodies only made up about 5% of these attacks, Microsoft noted a 336% increase in this deliver method in March. CAPTCHA-gated phishing pages also saw a notable increase of 125% in March, with the total volume of these attacks reaching 11.9 million in March, the highest volume seen over the past year, Microsoft said. “By forcing users to engage with the CAPTCHA before accessing the payload, threat actors reduce the likelihood of automated scanning tools identifying the threat and increase the chances of successful credential harvesting or malware delivery,” the Microsoft researchers wrote. PDF files were the most common delivery method for CAPTCHA-gated phishing links by the end of the quarter, seeing a 356% increase between January and March. Prior to this, HTML attachments were the most common delivery method in January and SVG files were the most common method in February. Links embedded directly into email bodies, which previously made up 50% of CAPTCHA-gated phishing attacks in August 2025, fell by 85% between December and February, hitting an eight-month low. Tycoon2FA disruption led to decrease The disruption of the Tycoon2FA phishing-as-a-service (PhaaS) platform in early March was cited as a likely factor in the 15% decrease in Tycoon2FA-related phishing attacks that month, following a 44% increase in such attacks the previous month. Microsoft also noted that Tycoon2FA’s share of CAPTCHA-gated phishing infrastructure fell from more than 75% at the end of 2025 to 41% in March. While Tycoon2FA was noted to have made a partial recovery since the global takedown effort, the operation has been forced to shift its tactics, moving away from Cloudflare-hosted infrastructure and adopting new top-level domains (TLD). Prior to February 2026, the TLD most commonly used by the group was “.sa.com,” but more than 41% of Tycoon2FA domains now use the “.ru” TLD, Microsoft said. The report highlights two high-volume phishing attacks during Q1 2026. One was a three-day malicious SVG attachment campaign using CAPTCHA-gated phishing pages that involved 1.2 million messages sent to more than 53,000 organizations across 23 countries between Feb. 23 and Feb. 25, 2026. This campaign used lures related to 401k updates, unpaid invoices, credit holds and voice messages notifications and included a fake confidentiality disclaimer in an attempt to enhance credibility. The other attack highlighted was an HTML attachment campaign detected on March 17, 2026, involving 1.5 million messages sent to more than 179,000 organizations in 43 countries, which leveraged a variety of PhaaS platforms including Tycoon2FA, Kratos and EvilTokens. These emails little or no message body content but used subject lines and file names related to routine business operations such as invoice payment or e-signature requests, and also used CAPTCHA-gated phishing pages to collect credentials. Overall, HTML files made up the largest proportion of phishing attachments in Q1 2026, at 31%, followed by PDFs (28%), SVGs (19%) and DOC/DOCX files (12%). Links included directly in message bodies were seen in 10% of all attacks. Emails attempting to directly delivery malware only made up about 5% to 6% of attacks, continuing a long-term trend of decline. Business email compromise (BEC), defined as attempts to lure a victim into making fraudulent financial transactions or transmit sensitive documents via email, totaled about 10.7 million attacks in Q1 2026, with generic outreach messages such as “Are you at your desk?” making up 82% to 84% of these emails. “This pattern underscores that BEC operators overwhelmingly favor establishing a conversation rapport before making fraudulent requests, rather than leading with direct financial asks,” the researchers said. To combat email threats, Microsoft recommends investing in employee awareness training and phishing simulations, and shifting to passwordless authentication methods and enforcing multi-factor authentication to reduce the risk of credential theft. For users of Microsoft Defender for Office 365 and other Microsoft security products, the company encourages the use of recommended settings such as enabling zero-hour auto purge (ZAP), Safe Links and Safe Attachments.