Microsoft warns of surge in QR code phishing attacks

Microsoft detected about 8.3 billion email-based phishing threats in the first quarter of 2026, with QR code phishing emerging as the fastest-growing attack method.

Monthly phishing volumes eased slightly from 2.9 billion in January to 2.6 billion in March, even as attackers shifted tactics. Link-based threats made up 78% of email attacks during the quarter. Malicious payloads accounted for 19% in January before settling at 13% in both February and March.

Credential theft remained the main goal of malicious payloads throughout the quarter. The combination of link-based delivery and payload trends suggests threat actors increasingly favoured hosted credential phishing infrastructure over locally rendered payloads as the quarter progressed.

Business email compromise also remained widespread, with about 10.7 million attacks recorded in the quarter. Much of that activity was driven by generic outreach messages rather than direct payment requests.

Tycoon2FA impact

A notable shift followed action against Tycoon2FA, a phishing-as-a-service platform Microsoft tracks as Storm-1747. Email volume associated with the service fell 15% over the rest of March after a disruption effort led by Microsoft's Digital Crime Unit, and access to active phishing pages was also reduced.

Tycoon2FA has been one of the more widely used phishing platforms since 2023. It uses adversary-in-the-middle techniques designed to bypass some multifactor authentication protections. The service leases infrastructure and phishing kits that mimic sign-in pages and often use fake CAPTCHA screens as lures.

The quarter opened with lower Tycoon2FA activity. January volumes were down 54% from December 2025, marking a second straight monthly decline. Activity then rose 44% in February before falling again in March after the disruption.

The platform's infrastructure changed repeatedly during the quarter. In January and February, domains shifted toward newer generic top-level domains including .digital, .business, .contractors, .ceo and .company. After the March takedown effort, .ru registrations rose again, with more than 41% of Tycoon2FA domains using that suffix from the last week of March.

Hosting patterns also shifted. By the end of March, Tycoon2FA was moving away from Cloudflare and placing most of its domains across a broader mix of alternative hosting services.

QR code rise

QR code phishing expanded sharply during the quarter, rising from 7.6 million attacks in January to 18.7 million in March. That 146% increase pushed the method to its highest monthly volume in at least a year.

Attackers increasingly used QR codes to hide malicious links in images embedded in email bodies or attachments, pushing victims to phishing sites that may be opened on unmanaged mobile devices. PDF files remained the main delivery route, rising from 65% of QR code attacks in January to 70% in March.

DOC and DOCX files also increased in absolute terms, although their share of QR code delivery fell from 31% to 24%. A smaller but notable late-quarter shift was a 336% rise in QR codes embedded directly in email bodies in March, taking them to 5% of total QR code phishing volume.

CAPTCHA shifts

CAPTCHA-gated phishing also changed quickly. After declining in January and February, this category more than doubled in March to 11.9 million attacks, the highest monthly level Microsoft said it had seen in the previous year.

Attackers appeared to rotate delivery methods aggressively to test which formats were most likely to evade email defences. HTML attachments started the year as the most common method, SVG files briefly took the lead in February, and PDF files then surged in March after more than quadrupling from January's annual low.

DOC and DOCX files also rose sharply in March, accounting for 15% of payloads. At the same time, Tycoon2FA's role in this segment declined. More than three-quarters of CAPTCHA-gated phishing sites at the end of 2025 were hosted on Tycoon2FA infrastructure, but that share had fallen to 41% by March.

One campaign between late February and the end of the month sent more than 1.2 million messages to users at more than 53,000 organisations in 23 countries. The emails used themes including pension updates, credit holds, payments and voice messages, and carried SVG attachments named to match each lure.

If opened, the SVG file launched a browser session that fetched content from one of three hostnames and first displayed a security check. Victims who completed the CAPTCHA were then shown a fake sign-in page designed to steal credentials.

Large campaigns

Another large phishing wave emerged in March through malicious HTML attachments. Microsoft observed more than 1.5 million confirmed malicious messages sent to over 179,000 organisations across 43 countries in a single campaign, accounting for roughly 7% of all malicious HTML attachments seen that month.

The messages carried minimal body text and commonly posed as payment alerts, invoices or document requests. Opening the attachment redirected the user through an external staging page to a phishing site, where a CAPTCHA challenge preceded a fraudulent sign-in page.

Although the emails shared common tooling and structure, the final phishing pages were spread across several phishing-as-a-service providers. Most endpoints were linked to Tycoon2FA, while others were associated with Kratos and EvilTokens.

Within business email compromise, generic opening lines such as asking whether a target was at their desk made up 82% to 84% of initial contact emails each month. Explicit requests for financial transactions or documents accounted for only 9% to 10%, while payroll update requests rose in February and gift card requests dropped before rebounding in March.

"The most significant shift in Q1 2026 was the rapid escalation of QR code phishing, with attack volumes increasing from 7.6 million in January to 18.7 million in March, a 146% increase over the quarter," Microsoft said.