News

QR code phishing surges as Microsoft detects 8.3 billion email threats in Q1 2026

Microsoft has warned that attackers are rapidly changing their phishing tactics, with QR code phishing emerging as one of the fastest-growing email threats of early 2026.

In its latest Email Threat Landscape report, Microsoft Threat Intelligence said it detected approximately 8.3 billion email-based phishing threats between January and March 2026. While overall monthly phishing volumes fluctuated slightly during the quarter, the company said attackers increasingly shifted toward techniques designed to bypass traditional email security controls.

One of the sharpest increases was in QR code phishing, also known as “quishing”. Microsoft found QR code phishing rose 146 per cent across the quarter, reaching its highest monthly volume in at least a year by March.

The technique is effective because QR codes can be harder for conventional scanning tools to assess than ordinary text links. They also encourage recipients to move from a protected work computer to a mobile phone, often a personal device sitting outside corporate security controls. Once scanned, the QR code can lead users to fake login pages, credential harvesting sites or other malicious destinations.

Microsoft also observed a change in how attackers are delivering these QR codes. PDF attachments remained a common method, but QR codes embedded directly in email bodies surged in March, reducing the need for attachments and making messages appear simpler and less suspicious.

The report also highlighted a rise in CAPTCHA-gated phishing, where attackers place a CAPTCHA page between the victim and the malicious destination. This tactic can help attackers evade automated detection tools by requiring human interaction before the final payload is shown. In some cases, the CAPTCHA page itself is used to trick victims into copying or running malicious commands.

Microsoft recorded a 125 per cent increase in CAPTCHA-based phishing attempts in March, with the total volume reaching 11.9 million attacks for the month. Attackers used a range of delivery methods, including HTML attachments, SVG files, PDF files, DOC and DOCX files, and links embedded directly in email messages.

The company also pointed to ongoing activity linked to phishing-as-a-service platforms, including Tycoon2FA. A joint disruption effort involving Microsoft and Europol in March contributed to a 15 per cent drop in attacks using Tycoon2FA-related methods. However, Microsoft warned that the disruption may be temporary, with the group shifting infrastructure and increasingly using .ru domains.

Business email compromise remains another major concern. Microsoft detected approximately 10.7 million phishing threats targeting business emails in Q1 2026, with attackers continuing to rely heavily on conversational lures. These emails often begin with simple prompts such as “Are you at your desk?” before attempting to move the victim toward a fraudulent payment, credential theft or other compromise.

Attackers also adapted their business email lures to seasonal activity. Rather than relying mainly on gift card requests, some campaigns shifted toward payroll update requests during tax season, making them appear more plausible to employees handling workplace administration or finance tasks.

Microsoft recommends a layered defensive approach, including reviewing Exchange Online Protection and Microsoft Defender for Office 365 settings, enabling Zero-hour Auto Purge, using Safe Links, enabling network protection in Microsoft Defender for Endpoint, and adopting phishing-resistant multi-factor authentication such as FIDO2 security keys or biometric authentication. The company also recommends phishing simulation training for employees.

The rise in QR code phishing shows that attackers are not simply sending more scams. They are changing how scams are delivered, where victims interact with them, and how they bypass automated defences. For businesses, that means cybersecurity can no longer rely on software tools alone. Staff need to understand what modern phishing looks like, why familiar formats can still be dangerous, and how to pause before scanning, clicking or responding.

As phishing tactics become more convincing, education becomes a practical line of defence. The Hack Academy’s online courses are designed to help individuals and teams build stronger cybersecurity awareness, recognise threats earlier, and make safer decisions online.

Upskill your cybersecurity knowledge with The Hack Academy’s online training courses: https://training.thehackacademy.com/course/

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *