Blog article

Email threat landscape overview:
The Q1 2026 email threat landscape is defined by scale and specificity. Microsoft Threat Intelligence recorded approximately 8.3 billion email-based phishing threats between January and March 2026, with monthly volumes ranging from 2.9 billion to 2.6 billion.
The total volume matters, but the composition is more instructive. Phishing trends show four pressure points: QR code phishing growth, CAPTCHA-gated attack adoption, credential phishing dominance, and BEC at scale. Each maps directly to authentication and monitoring gaps that enterprise organizations can address.
Understanding the Q1 2026 email threat landscape is the starting point for evaluating whether your current controls are adequate. This post unpacks what the data shows and what it means for your security posture.
Find out whether your current controls would stop Q1 2026 attackers.
QR code phishing was the fastest-growing attack vector Microsoft tracked in Q1. Attack volumes rose from 7.6 million in January to 18.7 million in March, a 146% increase over the quarter that pushed monthly volumes to their highest point in at least a year.
The technique is designed to bypass text-based email scanning tools. Malicious URLs are embedded inside image-based QR codes, which redirect users to phishing sites typically rendered on mobile devices where security controls are weaker or absent.
PDF attachments were the dominant delivery method, growing from 65% in January to 70% by March. A significant late-quarter development: QR codes embedded directly in email bodies surged 336% in March alone, eliminating the need for an attachment altogether. That shift signals active iteration – attackers are testing which delivery formats most effectively evade detection.
CAPTCHA-gated phishing surged 125% in March, reaching 11.9 million attacks – the highest monthly volume observed in the past year. Understanding phishing trends requires examining this technique closely. It uses a fake security check to bypass automated scanning tools and increase user interaction before delivering the payload.
It also underpins ClickFix attacks, where users are tricked into copying and executing malicious commands under the guise of completing a verification step.
HTML, SVG, PDF, and DOC/DOCX files rotated as the leading payload format month to month, suggesting active experimentation to find file types that evade email defenses.
By March, credential phishing data showed it accounted for 94% of payload-based attacks, up from 89% in January.
The objective is clear: Harvest working credentials at scale. Once harvested, those credentials are used to send an email that bypasses authentication entirely – the account is legitimate, the message is authenticated, and nothing flags it as suspicious.
For security teams tracking the Q1 2026 email threat landscape, the link between credential phishing volumes and downstream activity is the most operationally significant pattern in the data.
Microsoft recorded approximately 10.7 million BEC attacks in Q1 2026, with volumes rising 26% in March alone. Volume tells part of the story. The composition of those attacks tells the rest.
Between 82-84% of initial contact emails each month were generic outreach messages – low-effort openers like “Are you at your desk?” – rather than direct financial requests. This reflects deliberate attacker behavior: Establish credibility first, make the fraudulent request second.
Payroll update requests grew in February, consistent with tax season social engineering. Gift card requests rebounded sharply in March. The specific pretext shifts, but the technique stays consistent.
The implication for companies: BEC attacks don’t always rely on technical sophistication. They often rely on the appearance of a legitimate sender. A domain operating under p=none or without full DMARC enforcement allows spoofed sender addresses to reach inboxes, allowing this kind of social engineering to succeed.
The attack trends in the Q1 2026 email threat landscape aren’t a case for replacing your security stack. They are a case for ensuring the authentication and monitoring controls you already have are actually enforced.
DMARC policy level determines what happens to unauthenticated emails sent using your domain:
Aggregate reports provide continuous visibility into every source sending email from your domain, including unauthorized senders, so enforcement decisions are based on real traffic rather than assumptions. Without that visibility, moving to p=reject carries risk.
Phishing trends make the cost of that delay concrete: Every month spent at p=none is a month during which spoofed emails can still reach your recipients.
With 8.3 billion phishing attempts in a single quarter, the question isn’t whether your domain is being targeted. It is whether your current authentication configuration would stop a spoofed message from reaching your customers, partners, or employees.
DMARC is a necessary control. It is not a complete one. Two attack vectors prominent in the 2026 email threat landscape operate outside its scope.
DMARC protects your domain. It doesn’t protect against domains registered to impersonate you. Attackers register domains with minor spelling variations or alternate top-level domains and use them to send phishing emails that bypass your authentication controls entirely.
Sendmarc’s Lookalike Domain Defense identifies domains registered to mimic your business, often used as sender infrastructure for phishing campaigns targeting your customers and partners.
Sendmarc’s Breach Detection monitors for employee email addresses and credentials exposed in third-party breaches.
When a credential appears in a breach, security teams are alerted before attackers use it to send authenticated email – email that passes SPF, DKIM, and DMARC checks because the account is legitimate.
The phishing trends data reflect a threat environment scaling in volume and refining in technique. The organizations most exposed are those operating with unenforced DMARC policies, no visibility into lookalike domains, and no early warning on compromised employee credentials – exactly the gaps that allow phishing, spoofing, and BEC attacks to succeed across large, distributed environments.
Effective threat prevention requires more than a single control. Gaining unified visibility into your SPF, DKIM, and DMARC configurations is the first step. Continuous monitoring for breaches and lookalike impersonation attempts is what keeps that posture from degrading between reviews.
See how Sendmarc enforces DMARC, detects lookalike domains, and surfaces compromised credentials before attackers use them.