Email threat landscape: Q1 2026 trends and insights

What Happened

During the first three months of 2026, cybercriminals sent over 8 billion malicious emails, heavily relying on fake QR codes and fake CAPTCHA security checks to trick people. Organizations and employees using standard email and basic multi-factor authentication are the primary targets. This matters because these techniques are specifically designed to bypass traditional security filters and steal login credentials. To protect against these attacks, organizations should use advanced authentication methods like security keys, train employees to recognize fake QR codes, and enable advanced email filtering tools.

Key Takeaways

• QR code phishing attacks surged 146% in Q1 2026, reaching 18.7 million in March, with a notable increase in email-embedded QR codes.
• CAPTCHA-gated phishing volumes more than doubled in March, heavily utilizing PDF and DOC/DOCX attachments to evade automated analysis.
• Microsoft disrupted the Tycoon2FA PhaaS platform in March, causing a temporary drop in volume and forcing the threat actors to shift to .RU domains and alternative hosting.
• Business Email Compromise (BEC) attacks totaled 10.7 million, with over 80% relying on generic conversational outreach rather than immediate financial requests.
• Threat actors are increasingly using fake confidentiality disclaimers and base64-encoded recipient emails in attachment filenames to increase credibility and bypass filters.

Affected Systems

• Enterprise email systems
• Microsoft 365
• Accounts using non-phishing-resistant MFA

Attack Chain

Threat actors initiate contact via email using social engineering lures, often impersonating routine business notifications or financial alerts and utilizing fake confidentiality disclaimers. The emails deliver malicious payloads via attachments (HTML, PDF, SVG, ZIP) or embedded QR codes to bypass text-based security filters. Upon interaction, victims are frequently presented with a fake CAPTCHA page to evade automated analysis before being redirected to an adversary-in-the-middle (AiTM) phishing page. These pages, often hosted on PhaaS infrastructure like Tycoon2FA, harvest the victim's credentials and session tokens, bypassing non-phishing-resistant MFA.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Microsoft Defender for Endpoint, Microsoft Defender for Office 365

Microsoft provides built-in alerts for Defender for Endpoint and Defender for Office 365, including detections for AiTM phishing connections, malicious URL clicks, and suspicious email sending patterns.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect local browser processes launching from downloaded attachments (HTML/SVG) and subsequent network connections, but the initial delivery is primarily an email/network vector. Network Visibility: High — Network telemetry can identify connections to known AiTM infrastructure, unusual TLDs (.RU, .DIGITAL), and traffic to CAPTCHA-gated phishing domains. Detection Difficulty: Moderate — The heavy use of CAPTCHAs, QR codes, and rapidly shifting PhaaS infrastructure makes automated payload analysis difficult, requiring behavioral and identity-based detections.

Required Log Sources

• Email Gateway Logs
• Web Proxy Logs
• DNS Logs
• Browser Execution Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for email attachments (SVG, HTML, PDF) containing base64-encoded email addresses in the filename, which may indicate targeted phishing delivery.	Email Gateway Logs	Initial Access	Low
Monitor for unexpected spikes in authentication attempts originating from unusual ASNs or hosting providers shortly after a user interacts with an email link, indicating potential AiTM token theft.	Identity/Authentication Logs	Credential Access	Medium
Search for web traffic to newly registered domains using .RU, .DIGITAL, or .BUSINESS TLDs immediately following the opening of an email attachment.	Web Proxy Logs, DNS Logs	Execution	Medium

Control Gaps

• Text-based email scanning engines (bypassed by QR codes)
• Automated sandboxes (bypassed by CAPTCHAs)
• Standard MFA (bypassed by AiTM)

Key Behavioral Indicators

• Base64-encoded strings in attachment filenames
• Excessively long, keyword-stuffed sender usernames
• Browser processes spawned by PDF/SVG readers making external network connections

False Positive Assessment

• Medium

Recommendations

Immediate Mitigation

• Enable Zero-hour auto purge (ZAP) in Defender for Office 365 to retroactively neutralize malicious messages.
• Manually purge unwanted emails containing known malicious URLs or suspicious sender patterns.

Infrastructure Hardening

• Implement phishing-resistant MFA (FIDO keys, Windows Hello) to mitigate AiTM attacks.
• Configure Conditional Access policies to strengthen privileged accounts.
• Enable Safe Links and Safe Attachments in email security gateways.

User Protection

• Deploy Microsoft Defender SmartScreen or similar browser protection to block malicious websites.
• Enable network protection on endpoints to block connections to known phishing infrastructure.

Security Awareness

• Conduct attack simulation training specifically focused on QR code phishing (quishing) and CAPTCHA-gated lures.
• Train users to verify the destination of QR codes before scanning them with mobile devices.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1566.002 - Phishing: Spearphishing Link
• T1556 - Modify Authentication Process
• T1036 - Masquerading

Additional IOCs

• Domains:
  • bouleversement[.]niovapahrm[[.]]com - CAPTCHA-gated phishing domain
  • haematogenesis[.]hvishay[[.]]com - CAPTCHA-gated phishing domain
  • ubiquitarianism[.]drilto[[.]]com - CAPTCHA-gated phishing domain
• Other:
  • <Recipient Email Domain>_statements_inv_<Base64-encoded Email Address>.svg - Malicious SVG attachment filename pattern
  • 401K_copy_<Recipient Name>_<Base64-encoded Email Address>_241.svg - Malicious SVG attachment filename pattern
  • Check_2408_Payment_Copy_<Recipient First Name>_<Base64-encoded Email Address>_241.svg - Malicious SVG attachment filename pattern
  • INV#_1709612175_<Base64-encoded Email Address>.svg - Malicious SVG attachment filename pattern
  • Listen_(<Base64-encoded Email Address>).svg - Malicious SVG attachment filename pattern
  • PLAY_AUDIO_MESSAGE__<Recipient Name>_<Base64-encoded Email Address>_241.svg - Malicious SVG attachment filename pattern
  • eReceipt_Payment_Alert_Noreply-/m939k6d7.r.us-west-2.awstrack.me/L0/%2F%2Fspectrumbusiness.net%2Fbilling%2F/2/010101989f2c1f29-ab5789bd-1426-4800-ae7d-877ea7f61d24-000000/LHnBIXX0VmCLVoXwNWtt23hGCdc=439/us02web.zoom.nl/j/81163775943?pwd=bLoo4JaWavsiTAuLWNoRsmbmALwjLB.1-qq8m2tzdCenter-=AAP1eU7NKykAABXNznVa8w___listenerId=AAP1eU7NKykAABXNznVa8w___aw_0_device.player_name=Chrome___aw_0_ivt.result=unknown___cbs=9901711___aw_0_azn.zposition=%5B%22undefined%22%5D___us_privacy=___aw_0_app.name=Second+Screen___externalClickUrl=otdk-takaki-h - Keyword-stuffed malicious sender username pattern
  • DocExchange_Noreply-m939k6d7.r.us_west_2.awstrack.me/L0/%2F%2Fspectrumbusiness.net%2Fbilling%2F/2/010101989f2c1f29ab5789bd14264800ae7d877ea7f61d24000000/LHnBIXX0VmCLVoXwNWtt23hGCdc=439/us02web.zoom.nl/j/81163775943?pwd=bLoo4JaWavsiTAuLWNoRsmbmALwjLB.1-angie - Keyword-stuffed malicious sender username pattern