TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Microsoft Security Blog

Email threat landscape: Q1 2026 trends and insights

Microsoft Threat Intelligence and Microsoft Defender Security Research Team · 5 days ago · Read original ↗

ATT&CK techniques detected

38 predictions
T1566.002Spearphishing Link
99%
“email threat landscape : q1 2026 trends and insights during the first quarter of 2026 ( january - march ), microsoft threat intelligence detected approximately 8. 3 billion email - based phishing threats, with monthly volumes declining slightly from 2. 9 billion in january to 2. …”
T1566.002Spearphishing Link
98%
“approval language, and transactional framing to prompt recipients to review, sign, or access an attached document. each message included an html attachment with a file name aligned to the email ’ s theme. when opened, the html file launched locally on the recipient ’ s device and…”
T1566.001Spearphishing Attachment
98%
“delivery method to close the quarter. svg files, which had seen consecutive months of decreasing volumes, grew by 49 % in february at the same time nearly every other delivery payload type decreased. because of this, it was the most common delivery method for the month, which had…”
T1566.002Spearphishing Link
98%
“infrastructure and sells phishing kits that impersonate various enterprise application sign - in pages and incorporate evasion tactics, such as fake captcha pages. the quarter began with tycoon2fa in a period of reduced activity. january volumes represented a 54 % decline from de…”
T1566.002Spearphishing Link
97%
“##s below. microsoft defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog. microsoft defender for endpoint the following alert migh…”
T1566.001Spearphishing Attachment
97%
“january and the third week of march. malicious pdfs followed a steady upward trajectory, increasing 38 % in february and another 50 % in march to reach their highest monthly volume in over a year. by march, pdfs accounted for 29 % of payloads, up from 19 % in january. zip / gzip …”
T1566.002Spearphishing Link
97%
“profile : email threat landscape, january 2026 tool profile : tycoon2fa actor profile : storm - 1747 technique profile : qr code phishing technique profile : clickfix technique leverages clipboard to run malicious commands threat overview profile : business email compromise threa…”
T1566.002Spearphishing Link
96%
“enabled phishing examine device code authentication attacks at scale › this blog provides a view of email threat activity across the first quarter of 2026, highlighting key trends in phishing techniques, payload delivery, and threat actor behavior observed by microsoft threat int…”
T1566.002Spearphishing Link
96%
“the same time, disruption efforts can meaningfully impact this activity. following microsoft ’ s digital crime unit - led action against the tycoon2fa phishing - as - a - service ( phaas ) platform in early march, associated email volume declined 15 % over the remainder of the mo…”
T1566.002Spearphishing Link
95%
“more than 9 % of captcha - gated phishing payloads over the previous nine months, increased almost five times ( + 373 % ) in march to account for 15 % of payloads. email - embedded urls, which had once delivered more than half of captcha - gated phish at the end of august 2025, h…”
T1566.002Spearphishing Link
95%
“end of march, we saw tycoon2fa moving away from cloudflare as a hosting service and now hosts most of its domains across a variety of alternative platforms, suggesting the group is attempting to find replacement services that offer comparable anti - analysis protections. qr code …”
T1027.017SVG Smuggling
94%
“following : < recipient email domain > _ statements _ inv _ < base64 - encoded email address >. svg 401k _ copy _ < recipient name > _ < base64 - encoded email address > _ 241. svg check _ 2408 _ payment _ copy _ < recipient first name > _ < base64 - encoded email address > _ 241…”
T1566.001Spearphishing Attachment
90%
“55 % in march. by the end of the quarter, qr code phishing had reached its highest monthly volume in at least a year. pdf attachments were the dominant delivery method throughout the quarter, growing from 65 % of qr code attacks in january to 70 % in march. while the overall volu…”
T1566.001Spearphishing Attachment
88%
“following : < recipient email domain > _ statements _ inv _ < base64 - encoded email address >. svg 401k _ copy _ < recipient name > _ < base64 - encoded email address > _ 241. svg check _ 2408 _ payment _ copy _ < recipient first name > _ < base64 - encoded email address > _ 241…”
T1566.002Spearphishing Link
82%
“captcha had been successfully completed, the user would then be shown a fake sign - in page used to compromise their account credentials. malicious payloads credential phishing tightened its grip on the malicious payload landscape across q1, growing from 89 % of all payload - bas…”
T1566.001Spearphishing Attachment
81%
“actors reduce the likelihood of automated scanning tools identifying the threat and increase the chances of successful credential harvesting or malware delivery. additionally, fake captchas are used in clickfix attacks to trick users into copying and executing malicious commands …”
T1657Financial Theft
78%
“for the purpose of persuading a recipient into initiating a fraudulent financial transaction or sending the threat actor sensitive documents. these attacks fluctuated across q1, totaling approximately 10. 7 million attacks : rising 24 % in january, dipping 8 % in february, then s…”
T1566.001Spearphishing Attachment
77%
“this technique is becoming a more entrenched component of the phishing playbook rather than a specialty of a small number of tools. three - day campaign delivers captcha - gated phishing content using malicious svg attachments between february 23 and february 25, 2026, a large, s…”
T1566Phishing
70%
“this technique is becoming a more entrenched component of the phishing playbook rather than a specialty of a small number of tools. three - day campaign delivers captcha - gated phishing content using malicious svg attachments between february 23 and february 25, 2026, a large, s…”
T1566.002Spearphishing Link
70%
“overall bec messages. these fluctuations suggest that bec operators adjust their specific financial pretexts seasonally while maintaining a consistent overall approach. defending against email threats microsoft recommends the following mitigations to reduce the impact of this thr…”
T1566.002Spearphishing Link
65%
“and use threat explorer to find and delete phishing emails. turn on safe links and safe attachments in microsoft defender for office 365. enable network protection in microsoft defender for endpoint. encourage users to use microsoft edge and other web browsers that support micros…”
T1556.006Multi-Factor Authentication
63%
“and use threat explorer to find and delete phishing emails. turn on safe links and safe attachments in microsoft defender for office 365. enable network protection in microsoft defender for endpoint. encourage users to use microsoft edge and other web browsers that support micros…”
T1566.001Spearphishing Attachment
59%
“captcha had been successfully completed, the user would then be shown a fake sign - in page used to compromise their account credentials. malicious payloads credential phishing tightened its grip on the malicious payload landscape across q1, growing from 89 % of all payload - bas…”
T1583.001Domains
58%
“##2fa - linked messages continued to circulate after the disruption, almost one - third of march ’ s total volume was concentrated in a three - day period early in the month ; daily volumes for the remainder of march were notably lower than historical averages, and targets ’ abil…”
T1566.002Spearphishing Link
56%
“##2fa - linked messages continued to circulate after the disruption, almost one - third of march ’ s total volume was concentrated in a three - day period early in the month ; daily volumes for the remainder of march were notably lower than historical averages, and targets ’ abil…”
T1111Multi-Factor Authentication Interception
52%
“enabled phishing examine device code authentication attacks at scale › this blog provides a view of email threat activity across the first quarter of 2026, highlighting key trends in phishing techniques, payload delivery, and threat actor behavior observed by microsoft threat int…”
T1566.001Spearphishing Attachment
50%
“_ west _ 2. awstrack. me / l0 / % 2f % 2fspectrumbusiness. net % 2fbilling % 2f / 2 / 010101989f2c1f29ab5789bd14264800ae7d877ea7f61d24000000 / lhnbixx0vmclvoxwnwtt23hgcdc = 439 / us02web. zoom. nl / j / 81163775943? pwd = bloo4jawavsitaulwnorsmbmalwjlb. 1 - angie the emails thems…”
T1566.002Spearphishing Link
48%
“across 43 countries, accounting for approximately 7 % of all malicious html attachments observed in march. all messages in this campaign were likely sent using the same tool or service, which exhibited several distinct and highly consistent characteristics. most notably, sender a…”
T1598Phishing for Information
41%
“##ries, and incident reports. customers can also deploy ai agents, including the following microsoft security copilot agents, to perform security tasks efficiently : threat intelligence briefing agent phishing triage agent threat hunting agent dynamic threat detection agent secur…”
T1566Phishing
38%
“captcha had been successfully completed, the user would then be shown a fake sign - in page used to compromise their account credentials. malicious payloads credential phishing tightened its grip on the malicious payload landscape across q1, growing from 89 % of all payload - bas…”
T1566.002Spearphishing Link
38%
“this technique is becoming a more entrenched component of the phishing playbook rather than a specialty of a small number of tools. three - day campaign delivers captcha - gated phishing content using malicious svg attachments between february 23 and february 25, 2026, a large, s…”
T1598.002Spearphishing Attachment
37%
“across 43 countries, accounting for approximately 7 % of all malicious html attachments observed in march. all messages in this campaign were likely sent using the same tool or service, which exhibited several distinct and highly consistent characteristics. most notably, sender a…”
T1027.017SVG Smuggling
35%
“this technique is becoming a more entrenched component of the phishing playbook rather than a specialty of a small number of tools. three - day campaign delivers captcha - gated phishing content using malicious svg attachments between february 23 and february 25, 2026, a large, s…”
T1566.001Spearphishing Attachment
34%
“for the purpose of persuading a recipient into initiating a fraudulent financial transaction or sending the threat actor sensitive documents. these attacks fluctuated across q1, totaling approximately 10. 7 million attacks : rising 24 % in january, dipping 8 % in february, then s…”
T1566Phishing
32%
“for the purpose of persuading a recipient into initiating a fraudulent financial transaction or sending the threat actor sensitive documents. these attacks fluctuated across q1, totaling approximately 10. 7 million attacks : rising 24 % in january, dipping 8 % in february, then s…”
T1566Phishing
32%
“actors reduce the likelihood of automated scanning tools identifying the threat and increase the chances of successful credential harvesting or malware delivery. additionally, fake captchas are used in clickfix attacks to trick users into copying and executing malicious commands …”
T1566Phishing
31%
“across 43 countries, accounting for approximately 7 % of all malicious html attachments observed in march. all messages in this campaign were likely sent using the same tool or service, which exhibited several distinct and highly consistent characteristics. most notably, sender a…”
T1598.002Spearphishing Attachment
30%
“this technique is becoming a more entrenched component of the phishing playbook rather than a specialty of a small number of tools. three - day campaign delivers captcha - gated phishing content using malicious svg attachments between february 23 and february 25, 2026, a large, s…”

Summary

In early 2026, email threats increased with a rise in credential phishing, QR code phishing, and CAPTCHA-gated campaigns, highlighted by Microsoft’s disruption of the Tycoon2FA phishing platform which led to a 15% volume decrease and shifts in threat actor tactics.

The post Email threat landscape: Q1 2026 trends and insights appeared first on Microsoft Security Blog.