Microsoft Threat Intelligence published its first-quarter 2026 report on email threat trends and said on Wednesday that email-based phishing attacks totalled about 8.3 billion.

The report said 78 percent of all email threats were link-based attacks, and the main goal was credential theft. Among malicious payloads, the share of credential phishing rose from 89 percent in January to 95 percent in February. QR code phishing attacks increased 146 percent during the first quarter. They rose from 7.6 million in January to 18.7 million in March, the highest level in the past year. In March, embedding QR codes directly in the email body jumped 336 percent from the previous month. CAPTCHA-based phishing attacks also increased 125 percent from the previous month in March to about 11.9 million, the highest level in the past year.

The report also gave significant attention to trends related to the phishing-as-a-service platform Tycoon2FA. Microsoft Digital Crime Unit (DCU) worked with Europol and industry partners in early March to take disruption action against Tycoon2FA infrastructure, and related email attacks fell by about 15 percent by the end of March. It added that attackers appeared to be attempting to shift to alternative infrastructure after the disruption, including raising the share of .RU domain use to more than 41 percent.

Business email compromise (BEC) attacks totalled 10.7 million in the first quarter. The report said 82 to 84 percent of initial contact emails were conversational messages aimed at building relationships to establish trust before moving to monetary requests.

Microsoft recommended checking Microsoft Defender for Office 365 settings, providing user security training and introducing passwordless authentication to respond to email threats.