Email threat landscape: Q1 2026 trends and insights

Microsoft Threat Intelligence reports that Q1 2026 saw ~8.3 billion email-based phishing threats with rapid growth in QR code phishing and a surge in CAPTCHA-gated phishing in March; Tycoon2FA (Storm-1747) remains a major PhaaS actor despite a coordinated disruption that temporarily reduced its effectiveness, while BEC activity continued at scale (~10.7M attacks). The report details evolving delivery methods (PDF, HTML, SVG, ZIP, embedded QR codes), credential-harvesting objectives (AiTM and device-code phishing), observed infrastructure changes and sample hostnames, and provides mitigation and Microsoft Defender detection guidance for defenders.