Microsoft Threat Intelligence detected approximately 8.3 billion email-based phishing threats during the first quarter of 2026 (January–March). QR code phishing emerged as the fastest-growing attack vector, more than doubling over the period. Overall, 78 per cent of email threats were link-based, with malicious payloads accounting for 13 per cent in both February and March.
QR codes are two-dimensional barcodes that store information, scannable by smartphones to quickly access websites, contact details, or other digital content and are increasingly used in public environments such as entertainment venues and restaurants to access all types of goods and services. Since weaponized QR codes are impossible to identify with the naked eye, they represent an increasingly attractive entry point for cyber-attacks.
Credential phishing was the main aim of malicious payloads throughout the quarter. According to Microsoft, this represents a shift toward link-based delivery, combined with the payload trends, suggesting that threat actors increasingly prefer hosted credential phishing infrastructure over locally-rendered payloads as the quarter progressed.
"These trends reflect how threat actors continue to iterate on both scale and delivery techniques to improve effectiveness," says Microsoft.
Business email compromise (BEC) activity remained prevalent throughout the quarter, totaling approximately 10.7 million attacks, largely driven by low-effort, generic outreach messages.
Phishing-as-a-service is now widespread
Microsoft reports that, since its emergence in August 2023, Tycoon2FA has rapidly become one of the most widespread phishing-as-a-service (PhaaS) platforms, leveraging adversary-in-the-middle (AiTM) techniques to attempt to defeat multifactor authentication (MFA) defenses. The group behind the PhaaS platform (tracked by Microsoft Threat Intelligence as Storm-1747) leases malicious infrastructure and sells phishing kits that impersonate various enterprise application sign-in pages and incorporating evasion tactics.
The quarter began with Tycoon2FA in a period of reduced activity. January volumes represented a 54 per cent decline from December 2025, marking the second consecutive month of sharp decreases. While Microsoft believes post-holiday seasonal effects may have contributed to this decrease in volume, some of the reduction might also have been the result of Microsoft's Digital Crimes Unit disruption of RedVDS, a service used by many Tycoon2FA customers to distribute malicious email campaigns.
In early March 2026, Microsoft's Digital Crimes Unit, in coordination with Europol and industry partners, also took action to disrupt Tycoon2FA's infrastructure and operations, significantly impairing the platform's hosting capabilities. While Tycoon2FA-linked messages continued to circulate after the disruption, almost one-third of March's total volume was concentrated in a three-day period early in the month; daily volumes for the remainder of March were notably lower than historical averages.