2026 Email Threats Report

Malicious vs. legitimate email

Email attachments remain an important tool for cybercriminals, and attackers are constantly adapting the file types they use, exploiting user trust, familiarity with common formats and weaknesses in inspection tools to bypass defenses.

To effectively prevent initial compromise and limit the impact of malicious content, security teams must go beyond simple file-type checks and instead inspect and correlate file behavior across a wide range of attachments. This proactive approach is essential for catching threats that traditional controls may miss and reducing the potential blast radius when malicious files reach users.

Figure 2: HTML attachments are disproportionately weaponized compared to other common formats; PDFs are common but are increasingly used to carry QR codes and links. 

HTML files are the most weaponized

Despite a relatively low overall volume, HTML attachments are the most weaponized file type, accounting for about two-thirds of all malicious files detected in emails. With about 11% marked as malicious, they represent one of the riskiest attachment types.

Attackers favor HTML attachments because they can embed deceptive forms and scripts that mimic legitimate content, often slipping past traditional filters. When opened, HTML attachments render locally in the user’s browser and execute embedded HTML or JavaScript that can redirect victims to credential-harvesting sites, dynamically load malicious content or evade URL rewriting and reputation checks. To counter these threats, security teams should enforce strict policies for handling HTML attachments, including thorough scanning for embedded scripts and blocking suspicious files.

Malicious links pack a punch despite low volume

Even though only about one in every 200 links is malicious, the threat remains persistent and serious. Cybercriminals use these links for phishing, impersonation and malware campaigns — often making them look legitimate enough to slip past traditional security filters.

Why it matters

Even a small percentage of malicious URLs can have a major impact because a single successful click can lead to credential theft, account takeover and follow-on fraud. Attackers that obtain valid logins can gain long-term, often undetected access to business environments, giving them the ability to move laterally, escalate attacks and compromise sensitive data. URL-based delivery also enables time-of-click evasion and abuse of trusted hosting platforms.

How malicious links are used — and the damage they cause

Phishing and credential theft

Malicious links are a central part of phishing schemes designed to steal login credentials. When users click these links, they’re directed to convincing fake login pages that closely resemble trusted services like Microsoft 365. These sites harvest usernames and passwords, giving attackers unauthorized access to business accounts. The consequences extend far beyond simple credential theft: Cybercriminals can compromise identities, expose sensitive data and seize control over email and cloud environments.

Malware and ransomware delivery

Malicious links frequently lead users to sites that deliver malware-laden files, often cleverly disguised as routine business documents like payment invoices, software updates or urgent security notifications. These downloads are intentionally crafted to look legitimate, which increases the chance that recipients will trust the content and inadvertently install harmful software.

Bypassing traditional detection controls

Attackers are increasingly using newly registered domains, complex redirect chains and dynamic hosting infrastructure to disguise malicious links, making them appear benign when they’re delivered. As a result, many embedded links are zero-day or previously unknown, which significantly limits the effectiveness of signature-based and reputation-driven defenses.

Cross channel and mobile exploitation

Malicious links often push users to open content on mobile devices or in external browsers — environments where organizational security controls may be weaker or completely absent. This expands the attack surface beyond email and into identity, endpoint and mobile security gaps, which makes effective containment and remediation much more challenging for security teams.

Even with just over half a percent of links (0.56%) being malicious, the sheer volume of email traffic means employees are likely to encounter them. Security teams need protection that evaluates links in real time — analyzing destination behavior, redirects and impersonated login flows rather than relying solely on static reputation at delivery.

Cybercriminals are increasingly embedding malicious QR codes in email attachments to trick users and bypass traditional security controls. These attacks are particularly challenging because QR codes appear as innocuous images, allowing them to slip past many security filters undetected. QR code-based attacks also reveal critical gaps between email security, endpoint protection and identity controls — blind spots that allow attacks to evade detection.

Malicious QR codes often appear in trusted file formats, especially PDFs and Microsoft 365 documents. In fact, 70% of malicious PDFs and 56% of malicious Microsoft 365 documents analyzed contain QR codes that redirect users to phishing sites or other harmful destinations. These file types are widely used in business workflows, making them ideal vehicles for social engineering. When users scan these QR codes, they are often taken to fake Microsoft 365 login pages designed to harvest credentials and compromise business accounts. This growing threat underscores the urgent need for advanced security solutions capable of inspecting and analyzing QR codes embedded in attachments — helping security teams address blind spots and reduce the risk of account takeover and data breaches.

Why attackers turn to QR codes

Bypassing traditional email defenses

QR codes can conceal shortened URLs, complex redirect chains or dynamically generated destinations, making it difficult for security systems to evaluate intent at the time of delivery. Because encoded content remains hidden until scanned, attackers can modify payloads after the email is delivered, effectively circumventing time-of-click protections.

Shifting attacks to mobile devices

QR codes are typically scanned using mobile devices, which moves the attack off the corporate endpoint and outside the organization’s primary security perimeter. This tactic is especially concerning because mobile devices frequently lack the advanced endpoint protection, browser isolation and conditional access controls found on managed corporate systems. As a result, attackers can exploit these weaker defenses to increase their chances of success and evade traditional detection mechanisms.

Exploiting user trust and familiarity

QR codes have become a staple of everyday business workflows and are now used regularly for multifactor authentication (MFA) enrollment, document signing, payroll updates, and identity verification, making them effective lures in impersonation and phishing campaigns. This widespread adoption can reduce suspicion and increase the likelihood that users will scan a malicious code, making QR codes highly effective tools for impersonation and phishing attacks.

Account takeover is now a widespread security concern for businesses, with 34% of companies experiencing at least one account takeover incident each month. This reinforces the fact that identity compromise is no longer an edge case. It’s a routine security risk for modern organizations and can have potentially severe consequences.

Attackers typically gain access using phishing tactics, credential stuffing or by exploiting weak passwords. Once attackers are inside, they can steal sensitive information, move laterally throughout the organization and launch phishing campaigns from compromised accounts that appear legitimate to unsuspecting recipients.

Warning signs of account takeover

Typical indicators of account takeover include unusual login activity from unfamiliar locations or devices, unauthorized changes to inbox or email forwarding rules, unexpected password reset requests, and the presence of outbound phishing emails originating from compromised accounts. These warning signs often signal that an attacker has gained access and is actively manipulating the account for malicious purposes.

Account takeover attacks pose long‑term, ongoing security risks by enabling attackers to conduct stealthy reconnaissance and launch follow‑on attacks. Notably, 25% of account takeover incidents involved suspicious changes to inbox rules, such as forwarding emails to external accounts or automatically deleting security notifications, which enable attackers to remain hidden and sustain access. In addition, 14% of compromised accounts were used to distribute spam and other harmful content, often fueling further phishing attacks, malware infections and business email compromise schemes.

These tactics illustrate how account takeover incidents can escalate quickly, exposing organizations to broader risks and complicating detection and response efforts. Robust account protection starts with detecting early warning signs of compromise, such as unusual login behavior, mailbox manipulation and abuse of legitimate access.

To effectively counter these threats, organizations must enable real-time detection and response capabilities that can stop attackers before they can establish persistence or escalate to financial fraud and broader breaches.

In 2025, Barracuda threat analysts observed a dramatic shift in the phishing landscape: 90% of high-volume phishing campaigns used PhaaS kits — a steep increase from just 30% in 2024. This spike highlights how PhaaS has radically lowered the barrier to entry, empowering even inexperienced cybercriminals to launch large-scale, highly targeted attacks with advanced automation, impersonating well-known brands and trusted services. The result is a threat environment where highly convincing and sophisticated attacks are now commonplace, not the exception.

PhaaS has transformed phishing into a high-volume, fast-moving operation, accelerating the launch of campaigns and increasing their chances of success. Today’s most sophisticated PhaaS platforms operate as advanced man-in-the-middle proxies, offering attackers tools to intercept and manipulate multifactor authentication — including real-time MFA interception and spoofing — making credential theft and account compromise easier than ever before.

Main themes of PhaaS attacks

The most prevalent PhaaS attack themes in 2025 included fake payment requests, financial notifications, legal correspondence, digital signature prompts, and HR-related messages. Each of these campaigns were designed to trick recipients into clicking malicious links, scanning QR codes or opening attachments, ultimately leading them to share sensitive information. Attackers frequently impersonated well-known brands like Microsoft, DocuSign and SharePoint, and they succeeded by harnessing generative AI, sophisticated evasion techniques and a wider array of legitimate platforms to host and distribute content, making attacks even more convincing and difficult to detect.

Top attack email themes used by phishing kits in 2025

Figure 3. Attackers are aligning lures to routine business processes (payments, HR, and signatures) to maximize credibility and clicks.

Common methods used by phishing kits

Popular techniques that Barracuda’s threat analysts observed in phishing kits in 2025 included obfuscation to hide URLs from inspection (48%), attacks bypassing MFA (48%), CAPTCHA for added authenticity (43%), polymorphic attacks varying email headers and bodies to help avoid detection (20%), malicious QR codes (19%), malicious attachments (18%), abuse of trusted online platforms (10%), attacks using generative AI (10%), Blob URIs for stealth (2%), and ‘ClickFix’ social engineering (1%).

Figure 4. Modern PhaaS kits combine evasion, MFA bypass and multi-channel delivery (links, QR, attachments) to reduce detection and increase conversion.

The rapid growth of phishing kits

The number of PhaaS kits in active use doubled in 2025, with established platforms like Tycoon 2FA and Mamba 2FA facing competition from newcomers such as Cephas, Whisper 2FA, GhostFrame, Sneaky 2FA, and CoGUI. These advanced kits share an emphasis on sophisticated anti-analysis capabilities, MFA bypass techniques and stealth deployment strategies. For example, Sneaky 2FA uses adversary-in-the-middle tactics paired with Microsoft API integration, while GhostFrame employs dynamic subdomains and iframe abuse to evade detection. This rapid innovation continually shifts the defensive landscape, making defense and detection a moving target for security teams.

At the end of 2025, Barracuda threat analysts observed a surge in activity from established kits, including nearly 10 million attacks from Mamba 2FA alone. The current PhaaS threat landscape is increasingly crowded, diverse and rapidly shifting, as both emerging and legacy kits continue to evolve, presenting a growing challenge for defenders.

How to defend against PhaaS attacks

To effectively counter these evolving threats, organizations need to go beyond basic detection and embrace AI-enhanced, integrated security platforms that deliver real-time monitoring and adaptive defenses to respond to new attack tactics as they emerge. Building a resilient security culture — through continuous user education, robust authentication practices and regular software updates — is essential for protecting against the sophisticated tactics used in PhaaS-driven attacks.