Microsoft Detects 8.3 Billion Email Phishing Threats in Q1 2026 - SQ Magazine

On April 30, 2026, Microsoft Threat Intelligence reported detecting approximately 8.3 billion email-based phishing threats during Q1 2026, with QR code phishing attacks surging 146% over the quarter, according to Microsoft. Key Points QR code phishing grew from 7.6 million attacks in January to 18.7 million in March, a 146% increase over the quarter, with 70% delivered via PDF attachments by March. CAPTCHA-gated phishing surged 125% in March to 11.9 million attacks, the highest monthly volume in one year. Credential phishing dominated payload-based attacks, rising from 89% in January to 94% in March Microsoft detected 10.7 million business email compromise attacks across Q1 2026. A single HTML phishing campaign on March 17 delivered more than 1.5 million confirmed malicious messages to 179,000 organizations across 43 countries. What Happened? Microsoft published its Q1 2026 email threat landscape report on April 30, 2026, drawing on detection telemetry from Microsoft Defender for Office 365. The company detected approximately 8.3 billion email-based phishing threats between January and March 2026. Link-based attacks accounted for 78% of all email threats during the quarter. Malicious payloads represented 19% of attacks in January, declining to 13% by February and March. January recorded 2.9 billion threats and March recorded 2.6 billion threats. Microsoft Threat Intelligence announced the findings on April 30, 2026, via its official X account. In the first quarter of 2026, Microsoft Threat Intelligence detected approximately 8.3 billion email-based phishing threats, with QR code phishing more than doubling within the period and CAPTCHA gated campaigns evolving rapidly across delivery methods. https://t.co/cEpRWHgRVe — Microsoft Threat Intelligence (@MsftSecIntel) April 30, 2026 QR Code and CAPTCHA Phishing Surge QR code phishing attacks grew from 7.6 million in January to 18.7 million in March, representing a 146% increase over the quarter. PDF-delivered QR code phishing rose from 65% in January to 70% of total volume by March, over the same period that overall QR attacks surged 146%. PDF-embedded QR codes bypass link scanning because the URL sits encoded in a QR image. QR codes embedded directly in email bodies surged 336% in March, accounting for 5% of total QR code phishing volume. CAPTCHA-gated phishing surged 125% in March to 11.9 million attacks, reaching the highest monthly volume in one year. Tycoon2FA, operated by the threat actor tracked as Storm-1747, saw its share of CAPTCHA-gated phishing decline from over 75% in late 2025 to 41% by March 2026 as competing phishing-as-a-service platforms gained market share. Large-Scale Campaigns and Payload Shifts A large-scale SVG phishing campaign between February 23 and 25 sent 1.2 million messages targeting more than 53,000 organizations across 23 countries. On March 17, a single HTML phishing campaign delivered more than 1.5 million confirmed malicious messages to 179,000 organizations across 43 countries, accounting for 7% of all March malicious HTML attachments. Credential phishing dominated payload-based attacks throughout the quarter, rising from 89% in January to 94% in March. Traditional malware delivery dropped to 5-6% of payloads by quarter end. HTML attachments represented 31% of payloads in March after a 175% increase, while PDF attachments reached 28% after reaching the highest monthly volume in over one year. Implications for Enterprise Security Following an early-March disruption action, Tycoon2FA volume declined 15% in March, with one-third of March volume concentrated in a three-day period early in the month. Over the same period, 41% of Tycoon2FA domains had shifted to .RU TLD registrations by late March. The domain migration suggests disruption displaced the threat rather than eliminating it. Microsoft detected 10.7 million total business email compromise attacks in Q1 2026. Generic outreach messages accounted for 82-84% of BEC content, while explicit financial transaction and document requests made up 9-10%. Payroll update requests grew 15% in February, reflecting tax season effects. Gift card requests fell 37% in February and rebounded 108% in March. Microsoft recommends enabling zero-hour auto purge and implementing passwordless authentication through FIDO keys or Microsoft Authenticator. Defenders should review QR code scanning capabilities given the shift to PDF-embedded delivery. Related cybersecurity threat data and attack statistics track these trends. SQ Magazine’s Takeaway Phishing-as-a-service platforms have industrialized credential theft. The approximately 8.3 billion threats detected in a single quarter confirm the defensive burden is shifting toward endpoint detection and user awareness training. Security teams should watch for PDF-based QR code delivery expanding through Q2 2026 and update conditional access policies for the .RU TLD migration pattern.