Microsoft: QR Code, CAPTCHA-Gated Phishing More than Double in Q1 2026

The first quarter of 2026 marked a turning point for email‑based threats, as Microsoft observed QR‑code phishing more than double its previous volume. Attackers favor QR codes because they can embed malicious URLs in a format that bypasses many URL‑filtering tools, and the 146% jump to 18.7 million incidents signals a broader adoption of this tactic. Similarly, CAPTCHA‑gated phishing, which forces users to solve a challenge before revealing the payload, grew 125% to 11.9 million attacks, complicating automated detection and increasing the likelihood of successful credential harvesting.

Delivery methods also evolved dramatically. PDF files now account for 70% of QR‑code phishing and saw a 356% increase in hosting CAPTCHA‑gated links, highlighting the continued preference for document‑based lures. The disruption of the Tycoon2FA phishing‑as‑a‑service platform in March cut its infrastructure share from over three‑quarters to 41%, prompting the group to migrate to .ru domains and diversify its hosting. These shifts illustrate how takedown efforts can reshape threat actor ecosystems, yet the overall volume of high‑impact campaigns—such as the 1.5 million‑message HTML attachment wave—remains robust.

For enterprises, the data translates into urgent action items. Passwordless authentication and multi‑factor enforcement are now essential to mitigate credential theft, while Microsoft Defender for Office 365 features like Zero‑Hour Auto‑Purge, Safe Links, and Safe Attachments should be enabled to block malicious content at scale. Regular phishing simulations and employee awareness training further reduce the human error factor that attackers exploit. As QR‑code and CAPTCHA‑gated phishing become mainstream, organizations that adopt layered defenses and continuous monitoring will be better positioned to protect against the evolving email threat landscape.