SecurityBrief Canada - Technology news for CISOs & cybersecurity decision-makers
Canada
Microsoft reports 8.3bn phishing threats as QR codes surge
MFA Cloud Security Phishing

Microsoft reports 8.3bn phishing threats as QR codes surge

Mon, 4th May 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

Microsoft detected about 8.3 billion email-based phishing threats in the first quarter of 2026, with QR code phishing the fastest-growing attack method.

Data from Microsoft Threat Intelligence and the Microsoft Defender Security Research Team, which tracked email attacks from January to March, showed link-based threats accounted for 78% of total activity. Malicious payloads made up 19% of attacks in January before dropping to 13% in both February and March, suggesting attackers increasingly relied on links to hosted phishing pages rather than files rendered on a victim's device.

Microsoft also recorded about 10.7 million business email compromise attacks during the quarter. Those campaigns remained largely text-based and were driven mainly by generic opening messages designed to start a conversation before any request for money or documents.

QR code rise

QR code phishing grew sharply over the three months, rising from 7.6 million attacks in January to 18.7 million in March, a 146% increase. After an early-year dip, volumes climbed 59% in February and another 55% in March, reaching their highest monthly level in at least a year.

PDF attachments remained the main route for those attacks, with their share of QR code phishing rising from 65% in January to 70% in March. Although DOC and DOCX files carrying malicious QR codes also increased in raw volume, their share slipped from 31% to 24% over the same period.

A smaller but notable shift emerged late in the quarter as attackers increasingly placed QR codes directly in email bodies. That format jumped 336% in March, though it still represented only 5% of QR code phishing volume.

The growth of QR code phishing reflects a longstanding challenge for email security systems, which often scan text and links more effectively than image-based content. By placing malicious links inside QR codes, attackers can steer users to phishing sites through mobile devices that may sit outside corporate controls.

CAPTCHA changes

CAPTCHA-gated phishing also shifted quickly. After falling in January and February, those attacks more than doubled in March to 11.9 million, the highest level in the past year.

Attackers rotated through file types as they tested which methods were most likely to evade detection. HTML attachments began the quarter as the leading delivery method, then declined before rising again in March. SVG files briefly became the main format in February before falling sharply a month later. PDF attachments recorded the strongest increase, more than quadrupling in March, while DOC and DOCX files also climbed sharply.

This pattern suggests active experimentation by phishing operators rather than reliance on a single successful format. Email-embedded URLs, once a major route for CAPTCHA-gated phishing, remained below late-2025 levels even after rebounding in March.

One campaign in the final days of February delivered more than 1.2 million messages to users at more than 53,000 organisations in 23 countries. The emails used themes including pension updates, payment warnings and voice messages, and carried SVG attachments that opened a browser, displayed a fake security check and then led victims to counterfeit sign-in pages.

Tycoon2FA pressure

Microsoft pointed to disruption efforts against Tycoon2FA, a phishing-as-a-service platform linked to adversary-in-the-middle attacks. Email traffic associated with the platform fell 15% in March after action by Microsoft's Digital Crimes Unit, Europol and industry partners against its infrastructure.

Tycoon2FA-linked messages continued after that action, but almost a third of March volume was concentrated in a three-day stretch early in the month. Daily activity for the rest of March was lower than historical averages, while access to live phishing pages also declined.

The platform has since altered its infrastructure. During January and February, Tycoon2FA domains shifted toward newer generic top-level domains such as .digital, .business and .company. After the March disruption, Microsoft observed a renewed move toward .ru registrations, with more than 41% of Tycoon2FA domains using that suffix from the final week of March onward.

Hosting patterns also changed. Tycoon2FA moved away from Cloudflare near the end of March and began hosting most of its domains across a wider range of alternative services.

Tycoon2FA's share of CAPTCHA-gated phishing also declined markedly. At the end of 2025, more than three-quarters of such sites were hosted on Tycoon2FA infrastructure, but that figure fell to 41% in March, suggesting the technique is now being adopted more widely by other phishing kits and operators.

Payload trends

Credential theft remained the main objective in file-based attacks. Credential phishing represented 89% of malicious payload attacks in January, rose to 95% in February and then eased slightly to 94% in March. Traditional malware delivery accounted for just 5% to 6% of payloads by the end of the quarter.

A separate HTML phishing campaign observed in March sent more than 1.5 million malicious messages to over 179,000 organisations in 43 countries. The emails impersonated routine business notifications, including payment alerts, invoices and document requests, and used HTML attachments that redirected users through screening pages, CAPTCHA prompts and finally to fake sign-in portals.

Microsoft said the campaign appeared to use common tooling but ended on infrastructure linked to several phishing-as-a-service providers, including Tycoon2FA, Kratos and EvilTokens.

BEC steady

Business email compromise activity fluctuated during the quarter, rising 24% in January, dipping 8% in February and then increasing 26% in March. Yet its composition remained broadly stable, with 82% to 84% of initial contact emails using generic messages, such as asking whether a recipient was at their desk.

Explicit requests for financial transactions or documents made up only 9% to 10% of those attacks. Within that smaller segment, payroll update requests rose in February, while gift card requests fell and then rebounded in March, though they remained less than 3% of total BEC volume.

Microsoft also reported early signs of device code phishing, in some cases linked to services such as EvilTokens, indicating that attackers continue to test new ways to steal credentials.

The quarter showed threat actors adjusting both the scale and delivery methods of email attacks, while the disruption of a major phishing service demonstrated that coordinated action can still reduce the immediate effectiveness of widely used criminal infrastructure.

Related stories
Microsoft warns of surge in QR code phishing attacks
Stolen credentials don't have to mean a breach
Barracuda spots 7 million device code phishing attacks
Proofpoint flags mailbox rule abuse in Microsoft 365
Trustifi adds AI video training for MSP phishing drills
Top stories
Cyberhaven expands AI security to track shadow agents
Rippling adds Splashtop remote access for IT teams
Schellman first to assess 200 FedRAMP cloud services
State actors target defence suppliers in long game
DevRev wins ISO 27001 certification for AI security