HomeNews1 in 3 Emails Now Malicious, Barracuda Report Finds
Email Deliverability

1 in 3 Emails Now Malicious, Barracuda Report Finds

Barracuda's 2026 Email Threats Report analyzed 3.1B emails and found 1 in 3 are malicious. AI-driven phishing and account takeover surge.

M

Marcus Webb

May 14, 2026

7 min read
HomeNews1 in 3 Emails Now Malicious, Barracuda Report Finds
Email Deliverability

1 in 3 Emails Now Malicious, Barracuda Report Finds

Barracuda's 2026 Email Threats Report analyzed 3.1B emails and found 1 in 3 are malicious. AI-driven phishing and account takeover surge.

M

Marcus Webb

May 14, 2026

7 min read
Share:
Share:
#Compliance#GDPR#Email Strategy
#Compliance#GDPR#Email Strategy
Illustration for report: 1 in 3 Emails Now Malicious, Barracuda Report Finds
Illustration for report: 1 in 3 Emails Now Malicious, Barracuda Report Finds

Stay in the loop

Get the latest posts delivered straight to your inbox. No spam, unsubscribe anytime.

One in three emails sent globally is now malicious or unwanted spam, according to new data from Barracuda Research, which analyzed over 3.1 billion emails in January 2026 and found that nearly half of all malicious activity comes from phishing attacks. The findings, published on May 12, 2026, come at a moment when inbox providers are enforcing stricter authentication than ever before, creating a pressure point that directly affects every business using email to communicate with customers.

The Scale of the Threat in 2026

In January 2026, Barracuda Research analyzed more than 3.1 billion emails, looking at malicious, spam, and unwanted emails, and identified trends showing that attackers are scaling credential phishing, shifting from file-based payloads to URL-based delivery, and using QR codes and account takeover to bypass conventional controls.

Phishing represents the largest share of malicious email activity at 48%. The second major finding hits businesses particularly hard: 34% of companies report at least one account takeover incident every month, making fast detection and response to compromised accounts essential.

When an attacker gains access to a business email account, they do not just steal data. Barracuda found that 34% of organizations experience at least one account takeover incident every month, and that shift makes phishing harder to detect because malicious emails often arrive from trusted internal or known contacts. For a marketer or growth team, this means a phishing email appearing to come from a known vendor or colleague is now a realistic threat.

How Attackers Are Bypassing Defenses

The most significant tactical shift documented in the report is away from traditional file-based malware. The report highlights a shift in attacker tactics, with threat actors moving from file-based payloads to URL-based delivery and embedding QR codes in trusted document formats to disguise malicious destinations.

The numbers behind this trend are striking. Around 70% of malicious PDFs analyzed contained QR codes leading to phishing pages, while more than 10% of HTML attachments were identified as malicious.

Stay in the loop

Get the latest posts delivered straight to your inbox. No spam, unsubscribe anytime.

One in three emails sent globally is now malicious or unwanted spam, according to new data from Barracuda Research, which analyzed over 3.1 billion emails in January 2026 and found that nearly half of all malicious activity comes from phishing attacks. The findings, published on May 12, 2026, come at a moment when inbox providers are enforcing stricter authentication than ever before, creating a pressure point that directly affects every business using email to communicate with customers.

The Scale of the Threat in 2026

In January 2026, Barracuda Research analyzed more than 3.1 billion emails, looking at malicious, spam, and unwanted emails, and identified trends showing that attackers are scaling credential phishing, shifting from file-based payloads to URL-based delivery, and using QR codes and account takeover to bypass conventional controls.

Phishing represents the largest share of malicious email activity at 48%. The second major finding hits businesses particularly hard: 34% of companies report at least one account takeover incident every month, making fast detection and response to compromised accounts essential.

When an attacker gains access to a business email account, they do not just steal data. Barracuda found that 34% of organizations experience at least one account takeover incident every month, and that shift makes phishing harder to detect because malicious emails often arrive from trusted internal or known contacts. For a marketer or growth team, this means a phishing email appearing to come from a known vendor or colleague is now a realistic threat.

How Attackers Are Bypassing Defenses

The most significant tactical shift documented in the report is away from traditional file-based malware. The report highlights a shift in attacker tactics, with threat actors moving from file-based payloads to URL-based delivery and embedding QR codes in trusted document formats to disguise malicious destinations.

The numbers behind this trend are striking. Around 70% of malicious PDFs analyzed contained QR codes leading to phishing pages, while more than 10% of HTML attachments were identified as malicious.

Even though only about one in every 200 links is malicious, the threat remains persistent and serious: cybercriminals use these links for phishing, impersonation, and malware campaigns, often making them look legitimate enough to slip past traditional security filters.

Phishing-as-a-Service Is Lowering the Barrier to Attack

A key driver behind the volume increase is phishing-as-a-service (PhaaS), a criminal subscription model that is changing who can launch a phishing campaign. PhaaS is a criminal subscription model that provides phishing templates, fake login pages, hosting, and automation that make credential phishing easier to launch and scale.

According to Barracuda, 90% of high-volume phishing campaigns now use phishing-as-a-service kits. This means attackers no longer need technical expertise to run convincing campaigns. They subscribe, select a target, and deploy.

AI is accelerating this further. AI phishing uses generative AI tools to craft convincing, personalized messages at scale, making it far harder to detect than traditional phishing attacks. The traditional warning signs, poor grammar, generic greetings, suspicious-looking sender names, are no longer reliable. Attackers can generate highly personalized emails referencing real names, departments, recent events, or internal jargon pulled from publicly available information, and what used to take hours now takes seconds.

Also notable is that adversary-in-the-middle-style kits raise risk even in MFA environments by intercepting sessions in real time. Authentication protocols alone are not enough.

What This Means for Email Marketers and Business Owners

For businesses running email marketing campaigns, the indirect consequences of this threat landscape are already playing out at the inbox level.

Audiences are on high alert, thanks to a constant barrage of spam and sophisticated phishing attempts, which means legitimate marketing emails are often met with suspicion. Research from Mailjet shows that 53% of consumers have received a legitimate email from a brand that they initially thought was fraudulent.

A particularly frustrating paradox has emerged: while legitimate business communications face unprecedented rejection rates, sophisticated phishing attacks continue bypassing filters at escalating rates through AI integration.

Even though only about one in every 200 links is malicious, the threat remains persistent and serious: cybercriminals use these links for phishing, impersonation, and malware campaigns, often making them look legitimate enough to slip past traditional security filters.

Phishing-as-a-Service Is Lowering the Barrier to Attack

A key driver behind the volume increase is phishing-as-a-service (PhaaS), a criminal subscription model that is changing who can launch a phishing campaign. PhaaS is a criminal subscription model that provides phishing templates, fake login pages, hosting, and automation that make credential phishing easier to launch and scale.

According to Barracuda, 90% of high-volume phishing campaigns now use phishing-as-a-service kits. This means attackers no longer need technical expertise to run convincing campaigns. They subscribe, select a target, and deploy.

AI is accelerating this further. AI phishing uses generative AI tools to craft convincing, personalized messages at scale, making it far harder to detect than traditional phishing attacks. The traditional warning signs, poor grammar, generic greetings, suspicious-looking sender names, are no longer reliable. Attackers can generate highly personalized emails referencing real names, departments, recent events, or internal jargon pulled from publicly available information, and what used to take hours now takes seconds.

Also notable is that adversary-in-the-middle-style kits raise risk even in MFA environments by intercepting sessions in real time. Authentication protocols alone are not enough.

What This Means for Email Marketers and Business Owners

For businesses running email marketing campaigns, the indirect consequences of this threat landscape are already playing out at the inbox level.

Audiences are on high alert, thanks to a constant barrage of spam and sophisticated phishing attempts, which means legitimate marketing emails are often met with suspicion. Research from Mailjet shows that 53% of consumers have received a legitimate email from a brand that they initially thought was fraudulent.

A particularly frustrating paradox has emerged: while legitimate business communications face unprecedented rejection rates, sophisticated phishing attacks continue bypassing filters at escalating rates through AI integration.

The authentication environment has also tightened significantly. Analysis reveals 85.7% of domains do not enforce DMARC with a quarantine or reject policy, leaving them vulnerable to spoofing and deliverability issues, which also impacts inbox placement as ISPs increasingly prioritize authenticated senders. If your domain lacks enforced DMARC, it is exposed to both impersonation attacks and inbox penalties. Technical diagram showing three email authentication protocols and how they work together. SPF (Sender Policy Framework) validates the sending server IP address. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to emails. DMARC (Domain-based Message Authentication, Reporting, and Conformance) sits above both SPF and DKIM, enforcing policies like quarantine or reject for failed authentication. Show arrows connecting SPF and DKIM into DMARC at the top, with visual indicators of success/failure states. Include a lock icon or security badge to emphasize email authentication and trust.

The authentication environment has also tightened significantly. Analysis reveals 85.7% of domains do not enforce DMARC with a quarantine or reject policy, leaving them vulnerable to spoofing and deliverability issues, which also impacts inbox placement as ISPs increasingly prioritize authenticated senders. If your domain lacks enforced DMARC, it is exposed to both impersonation attacks and inbox penalties. Technical diagram showing three email authentication protocols and how they work together. SPF (Sender Policy Framework) validates the sending server IP address. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to emails. DMARC (Domain-based Message Authentication, Reporting, and Conformance) sits above both SPF and DKIM, enforcing policies like quarantine or reject for failed authentication. Show arrows connecting SPF and DKIM into DMARC at the top, with visual indicators of success/failure states. Include a lock icon or security badge to emphasize email authentication and trust.

What the Report Recommends

Merium Khalid, Director of SOC Offensive Security at Barracuda, framed the stakes clearly in the report:

"Email is no longer just a communication channel. It's the front line of identity, trust, and business continuity."

Email security must be paired with identity and endpoint controls to reduce account takeover and lateral movement. The full Barracuda 2026 Email Threats Report identifies several practical steps:

  • Expand inspection beyond attachments. Increase scrutiny of embedded links and QR codes in documents and messages.
  • Harden identity security. Enforce MFA where possible, monitor for suspicious sign-ins, and tighten access policies to limit the impact of stolen credentials.
  • Automate detection and response. Automate detection and response to quarantine suspicious messages quickly and reduce dwell time when attacks slip through.
  • Audit configurations regularly. Organizations should regularly audit email security configurations to ensure protections are enabled, policies are aligned with current threat trends, and exceptions are still justified, including reviewing authentication settings, attachment and link inspection policies, and automated response workflows.

For marketing and growth teams specifically, the takeaway is clear: strong SPF, DKIM, and DMARC configuration is now both a security requirement and a deliverability requirement. In a world of phishing, spoofing, and rising user skepticism, authenticated identity becomes a core element of brand trust, not just a technical specification. Teams that treat email authentication as a marketing asset, not just an IT checklist, will hold a measurable advantage in inbox placement and audience trust in 2026.

No comments yet. Be the first!

Leave a comment

Comments are reviewed before publishing.

What the Report Recommends

Merium Khalid, Director of SOC Offensive Security at Barracuda, framed the stakes clearly in the report:

"Email is no longer just a communication channel. It's the front line of identity, trust, and business continuity."

Email security must be paired with identity and endpoint controls to reduce account takeover and lateral movement. The full Barracuda 2026 Email Threats Report identifies several practical steps:

  • Expand inspection beyond attachments. Increase scrutiny of embedded links and QR codes in documents and messages.
  • Harden identity security. Enforce MFA where possible, monitor for suspicious sign-ins, and tighten access policies to limit the impact of stolen credentials.
  • Automate detection and response. Automate detection and response to quarantine suspicious messages quickly and reduce dwell time when attacks slip through.
  • Audit configurations regularly. Organizations should regularly audit email security configurations to ensure protections are enabled, policies are aligned with current threat trends, and exceptions are still justified, including reviewing authentication settings, attachment and link inspection policies, and automated response workflows.

For marketing and growth teams specifically, the takeaway is clear: strong SPF, DKIM, and DMARC configuration is now both a security requirement and a deliverability requirement. In a world of phishing, spoofing, and rising user skepticism, authenticated identity becomes a core element of brand trust, not just a technical specification. Teams that treat email authentication as a marketing asset, not just an IT checklist, will hold a measurable advantage in inbox placement and audience trust in 2026.

No comments yet. Be the first!

Leave a comment

Comments are reviewed before publishing.

Breaking

Related news

Illustration for new_technology: Gmail's New RETVec AI Boosts Spam Detection by 38%
Email DeliverabilityMay 22, 2026 6 min

Gmail's New RETVec AI Boosts Spam Detection by 38%

Google deployed RETVec, an AI spam filter that detects obfuscated spam, improving detection 38% while reducing false positives 19.4%. Here's what email marketers need to know.

Breaking

Related news

Illustration for new_technology: Gmail's New RETVec AI Boosts Spam Detection by 38%
Email DeliverabilityMay 22, 2026 6 min

Gmail's New RETVec AI Boosts Spam Detection by 38%

Google deployed RETVec, an AI spam filter that detects obfuscated spam, improving detection 38% while reducing false positives 19.4%. Here's what email marketers need to know.

R
Rachel Torres
R
Rachel Torres
Illustration for new_technology: IETF Publishes RFC 9989 DMARC Standard in May 2026
Email DeliverabilityMay 22, 2026 6 min

IETF Publishes RFC 9989 DMARC Standard in May 2026

IETF officially published RFC 9989 in May 2026, upgrading DMARC to Proposed Standard status. The update improves spoofing prevention and email authentication with clarified terminology and stronger subdomain protection.

JJames Chen
Illustration for new_technology: IETF Publishes RFC 9989 DMARC Standard in May 2026
Email DeliverabilityMay 22, 2026 6 min

IETF Publishes RFC 9989 DMARC Standard in May 2026

IETF officially published RFC 9989 in May 2026, upgrading DMARC to Proposed Standard status. The update improves spoofing prevention and email authentication with clarified terminology and stronger subdomain protection.

JJames Chen
Illustration for industry_trend: Gmail Spam Filter Collapse Jams 1.8B Inboxes
Email DeliverabilityMay 22, 2026 6 min

Gmail Spam Filter Collapse Jams 1.8B Inboxes

Gmail's spam filters collapsed on Saturday, flooding 1.8 billion inboxes with promotions while blocking legitimate mail. Here's what happened.

RRachel Torres
Illustration for industry_trend: Gmail Spam Filter Collapse Jams 1.8B Inboxes
Email DeliverabilityMay 22, 2026 6 min

Gmail Spam Filter Collapse Jams 1.8B Inboxes

Gmail's spam filters collapsed on Saturday, flooding 1.8 billion inboxes with promotions while blocking legitimate mail. Here's what happened.

RRachel Torres