Barracuda Networks has revealed its 2026 Email Threats Report. The findings shed light on evolving email threats, primarily driven by AI-powered social engineering and the growth of phishing as a service. Such advancements are facilitating adversaries to scale credential phishing operations, subsequently enhancing the success of their targeted campaigns.
The report observes a strategic shift in attacker methodologies, where threat actors migrate from file-based payloads to URL-based delivery modes. A notable tactic includes the use of QR codes embedded within trusted document formats, aimed at masking malicious destinations. Furthermore, attackers are leveraging account takeover techniques, enabling them to circumvent standard defences and deliver credible soured messages from hijacked mailboxes. These developments underscore the necessity for comprehensive, multi-layered email protection strategies.
Drawing on global telemetry data from January 2026, Barracuda Research delved into 3.1 billion email correspondences. The analysis focused on quantifying malicious, spam, or otherwise unwelcome emails, elucidating their impact on global organisations. Key discoveries from the research include the following insights:
- 1 in 3 emails are either malicious or unwanted spam.
- Phishing constitutes 48% of all malicious email activity.
- Approximately 34% of firms report experiencing at least one account takeover incident each month.
- Over 10% of HTML attachments were identified as malicious.
- A notable 70% of malignant PDFs contained QR codes redirecting to phishing websites.
- A staggering 90% of large-scale phishing endeavors utilise phishing-as-a-service kits.
The modern email landscape demands more than being a mere communication medium—it’s pivotal for identity, trust, and maintaining business continuity. As attackers rapidly 'industrialise' phishing utilising AI and additional services, defensive measures must evolve correspondingly. Organisations aiming to remain resilient should consider prioritising a robust, integrated email security framework, combining identity protection with automated responses, as part of their comprehensive strategy. Such synchronised efforts in rapid detection and automated incident management can significantly mitigate risks, limit account compromises and maintain continuity as emerging threats proliferate.
