Dive Brief:
- Phishing attacks using QR codes to direct victims to malicious links surged in the first quarter of 2026, Microsoft said in a threat report published on Thursday.
- Email-based phishing attacks overwhelmingly used malicious links rather than attachments during the first three months of the year, reflecting the greater range of delivery options for externally hosted threats.
- A major phishing-as-a-service (PhaaS) platform is significantly diminished after recent attempts to choke off its infrastructure, the company said.
Dive Insight:
The growth in QR-code phishing attacks is one of the most striking findings in Microsoft Threat Intelligence’s Q1 2026 report, which analyzes the 8.3 billion email-based phishing attacks that the company detected between January and March.
In January, 7.6 million threats used QR codes, but by March, it was 18.7 million, a 146% increase. That jump made QR-code phishing “the fastest-growing attack vector” during the quarter, Microsoft said.
“By embedding malicious URLs within image-based QR codes in the body of an email or within the contents of an attachment,” researchers explained, “threat actors attempt to exploit the limitations of text-based scanning engines and redirect victims to phishing sites on unmanaged mobile devices.”
Malware delivery web pages using fake CAPTCHA security checks also surged in Q1, largely driven by a massive increase in March after month-to-month declines in both January and February. The 11.9 million attacks using CAPTCHAs in March represented “the highest volume observed over the last year,” Microsoft said.
The PhaaS platform Tycoon2FA used to dominate CAPTCHA-based attacks, but after a global takedown involving law enforcement agencies, tech companies and security vendors, its influence has waned significantly. “At the end of 2025, more than three-quarters of CAPTCHA-gated phishing sites were hosted on Tycoon2FA infrastructure,” Microsoft said in its report. “This share decreased significantly over the course of the first three months of 2026, falling to just 41% in March.”
But Microsoft attributed Tycoon2FA’s decline to more than just the coordinated takedown campaign. “The broadening of CAPTCHA-gated phishing sites being used by an increasing number of threat actors and phishing kits, combined with the overall surge in volume, indicates that this technique is becoming a more entrenched component of the phishing playbook rather than a specialty of a small number of tools.”
By far the most common objective of email-based phishing attacks in Q1 was to steal login credentials. That has been true for months, but the share of attacks focused on credential theft grew in Q1, from 89% in January to 94% in March.
At the same time, traditional attachment-based malware delivery has almost become an afterthought — it represented just 5% to 6% of attacks in Q1, with the vast majority of attacks using phishing websites or “locally loaded spoofed sign-in screens.”
