Microsoft warns of 8.3 billion phishing attacks in early 2026 driven by QR codes and captcha

Microsoft has warned about the detection of 8.3 billion attempted phishing attacks through email during the first quarter of this year, led by the use of QR codes and captcha, consolidating this technique as one of the entry doors most used by cybercriminals.

This has been shared by the team of cybersecurity experts Microsoft Threat Intelligence, which has analyzed ‘phishing’ attempts from January to March of this year and how the email threat landscape has evolved, including tactical changes in the way attackers operate to avoid detection and steal credentials.

Specifically, approximately 8.3 billion email phishing threats have been detected during the first three months of 2026, with monthly volumes that decreased slightly, going from 2.9 billion attempts identified in January to 2.6 billion in March, as specified in its blog.

Among the attempts identified, experts have clarified that ‘phishing’ through the use of QR codes has established itself as “the fastest growing attack vector.” This is because its use has doubled during these three months, going from 7.6 million attacks in January to 18.7 million in March, an increase of 146 percent.

These attacks rely on inserting malicious URLs within image-based QR codes, either in the body of the email or in the content of an attachment, to redirect victims to phishing sites on mobile devices.

Likewise, a change in the modus operandi has been identified, since, to avoid the detection of this ‘phishing’ method using QR codes in ’emails’, cybercriminals have started to embed these codes in attachments in PDF format. This practice has gone from representing 65 percent of attacks in January to 70 percent in March.

INCREASE IN ‘PHISHING’ ATTACKS WITH ‘CAPTCHA’

Malicious actors have also opted to carry out ‘phishing’ attacks with ‘captcha’ processes, that is, the security system used to differentiate humans from bots, which has increasingly been used in more campaigns with a 125 percent increase in March.

This method works as a visual decoy, pretending to do a legitimate security check while actually hiding access to malicious content. “By forcing users to complete the captcha before accessing the malware, they reduce the likelihood that automated scanning tools will identify the threat and increase the chances of successfully obtaining credentials or distributing malware,” Microsoft said.

As detailed by the technology company, a total of 11.9 million ‘phishing’ attacks have been found through ‘captcha’ systems and, to avoid being detected by manipulating users and avoiding automated systems, cybercriminals have chosen to include verification steps that appear legitimate in the process.

‘PHISIHNG’ FOR THE THEFT OF CREDENTIALS

Overall, the report shared on its blog details that 78 percent of email threats identified these months have been based on malicious links, while malicious payloads have represented 19 percent of attacks in January, driven by HTML and ZIP archive campaigns. However, these attacks decreased to 13 percent in both February and March.

With all this, the main objective of ‘malware’ attacks continues to be the theft of credentials, which indicates an advance of traditional ‘malware’ towards the compromise of the identity of users, which has represented between 89 and 95 percent of the objective of the attacks this quarter.

This behavior reflects a preference by malicious actors toward phishing attacks for “cloud-hosted” credentials rather than locally generated payloads, as Microsoft has explained.

DISARTICULATING TYCOON2FA’S ‘PHISHING’ PLATFORM

As part of this investigation, the Microsoft Digital Crimes Unit led coordinated action with Europol and industry partners during the month of March to disrupt the Tycoon2FA phishing platform as a service (PhaaS), reducing associated attack activity by 15 percent for the remainder of the month.

Likewise, there was also a significant reduction in access to active phishing pages, which limited the effectiveness of the platform.

Active since August 2023, Tycoon2FA has quickly become one of the most widespread PhaaS platforms, using attack-in-the-middle (AiTM) techniques to attempt to bypass multi-factor authentication (MFA) defenses that are not phishing-resistant.

Thus, the group responsible for the platform, identified as Storm-1747, rented the malicious infrastructure and sold phishing kits that imitate login pages of various business applications and incorporate evasion tactics, such as fake ‘chaptcha’ pages.

Despite these efforts by Microsoft to dismantle the platform, it must be taken into account that Tycoon2FA has subsequently adapted to continue acting through other hosting providers, ceasing to use Cloudflare, and other domain registration patterns.

However, Microsoft has stressed that this is “a partial recovery” of the malicious service rather than a complete restoration of its capabilities.