Why your clients are failing the 2026 email security test - Managed Services Journal

If you’ve been in the channel as long as I have, you remember when a phishing email was easy to spot because of poor grammar or a weirdly formatted logo. Those days are officially over. According to the Barracuda 2026 Email Threats Report, which analyzed over 3.1 billion emails, we’re seeing an industrialization of cybercrime that should change how you talk to your clients about risk. The report found that 90 percent of high-volume phishing campaigns now use phishing-as-a-service (PhaaS) kits. These kits allow even low-skilled attackers to launch professional-grade campaigns, and when you combine that with AI-driven social engineering, the success rates skyrocket. You need to understand that 48 percent of all malicious email activity is now phishing. This isn’t just a volume game anymore (though 1 in 3 emails being malicious or unwanted is a staggering volume). It’s about precision. Attackers are using AI to create highly convincing messages that bypass the traditional sniff test your clients’ employees have been trained on. Because these attacks are so effective and easy to scale, the old ways of just checking for bad files won’t work. The report shows a clear move away from file-based payloads toward URL-based delivery, meaning the threat is often a link to a credential-harvesting site rather than a piece of malware in a zip file. Why QR codes and HTML attachments are the new front lines One of the most eye-opening statistics in the report involves something your clients likely use every day: the QR code. We’re seeing an explosion in quishing, or QR code phishing, because attackers know that many traditional security scanners still struggle to parse images effectively. The data is clear (70 percent of malicious PDFs now contain QR codes that lead straight to phishing websites). Your customers’ employees are used to scanning these codes for everything from restaurant menus to two-factor authentication, making them a perfect psychological trap. If your current email security solution isn’t specifically inspecting the destinations behind these codes, you’ve got a massive hole in your service offering. It isn’t just QR codes you need to worry about. The report also highlights that more than 10 percent of HTML attachments are now malicious. These are often used to hide credential-harvesting forms or to redirect users to fake login pages that look exactly like the Microsoft 365 or Google Workspace portals your clients use. Because these files are technically clean from a traditional malware perspective, they frequently slip past basic gateways. As an MSP, you have to realize that the attachment itself is becoming a container for a web-based attack, requiring a security layer that can follow the trail all the way to the final URL. The persistent nightmare of monthly account takeovers If you want a statistic that will get a CEO’s attention, it’s this one: 34 percent of companies experience at least one account takeover (ATO) incident every single month. That means for every three clients you manage, at least one is likely dealing with a compromised account right now. When an attacker gains control of a legitimate internal inbox, they aren’t just a threat to that one user. They are a threat to the entire organization’s trust. They can send internal emails that bypass almost every external filter, leading to lateral phishing and business email compromise (BEC). This trend underscores why identity is the new perimeter in 2026. Attackers are exploiting ATO techniques to deliver messages from compromised, trusted inboxes, which is why prevention alone isn’t enough. You have to be able to detect the subtle signs of a compromised account, such as unusual login locations or sudden changes in mail forwarding rules. If you’re only selling a “set it and forget it” gateway, you’re leaving your clients exposed to the most damaging type of threat (one that comes from inside the house). How to evolve your MSP security stack for 2026 So, what does this mean for your business and your technology stack? First, you have to move beyond the gateway. While a strong gateway is still necessary, it clearly isn’t sufficient when 1 in 3 emails is problematic. You need to bundle in integrated, multilayered email protection that includes identity-based security and automated incident response. If you’re not already offering some form of managed detection and response (MDR) or SOC-as-a-service that monitors for account takeovers, now is the time to start. The 34 percent monthly ATO rate is a clear mandate for constant monitoring. You should also look at how you’re training your clients. Standard security awareness training needs to be updated to specifically include quishing and the dangers of HTML attachments. But more importantly, you need to sell the idea of cyber resilience. This means admitting that some attacks will get through and having the tools in place to catch them fast and remediate them automatically. By focusing on a broader strategy that covers email, identity, and endpoints, you’re not just selling a tool; you’re providing the continuity that Barracuda’s report says is at the front line of modern business. Use this data to show your clients that the threat has evolved, and their protection must evolve with it.