One in three emails sent globally is now malicious or unwanted spam, according to new data from Barracuda Research, which analyzed over 3.1 billion emails in January 2026 and found that nearly half of all malicious activity comes from phishing attacks. The findings, published on May 12, 2026, come at a moment when inbox providers are enforcing stricter authentication than ever before, creating a pressure point that directly affects every business using email to communicate with customers.
The Scale of the Threat in 2026
In January 2026, Barracuda Research analyzed more than 3.1 billion emails, looking at malicious, spam, and unwanted emails, and identified trends showing that attackers are scaling credential phishing, shifting from file-based payloads to URL-based delivery, and using QR codes and account takeover to bypass conventional controls.
Phishing represents the largest share of malicious email activity at 48%. The second major finding hits businesses particularly hard: 34% of companies report at least one account takeover incident every month, making fast detection and response to compromised accounts essential.
When an attacker gains access to a business email account, they do not just steal data. Barracuda found that 34% of organizations experience at least one account takeover incident every month, and that shift makes phishing harder to detect because malicious emails often arrive from trusted internal or known contacts. For a marketer or growth team, this means a phishing email appearing to come from a known vendor or colleague is now a realistic threat.
How Attackers Are Bypassing Defenses
The most significant tactical shift documented in the report is away from traditional file-based malware. The report highlights a shift in attacker tactics, with threat actors moving from file-based payloads to URL-based delivery and embedding QR codes in trusted document formats to disguise malicious destinations.
The numbers behind this trend are striking. Around 70% of malicious PDFs analyzed contained QR codes leading to phishing pages, while more than 10% of HTML attachments were identified as malicious.
One in three emails sent globally is now malicious or unwanted spam, according to new data from Barracuda Research, which analyzed over 3.1 billion emails in January 2026 and found that nearly half of all malicious activity comes from phishing attacks. The findings, published on May 12, 2026, come at a moment when inbox providers are enforcing stricter authentication than ever before, creating a pressure point that directly affects every business using email to communicate with customers.
The Scale of the Threat in 2026
In January 2026, Barracuda Research analyzed more than 3.1 billion emails, looking at malicious, spam, and unwanted emails, and identified trends showing that attackers are scaling credential phishing, shifting from file-based payloads to URL-based delivery, and using QR codes and account takeover to bypass conventional controls.
Phishing represents the largest share of malicious email activity at 48%. The second major finding hits businesses particularly hard: 34% of companies report at least one account takeover incident every month, making fast detection and response to compromised accounts essential.
When an attacker gains access to a business email account, they do not just steal data. Barracuda found that 34% of organizations experience at least one account takeover incident every month, and that shift makes phishing harder to detect because malicious emails often arrive from trusted internal or known contacts. For a marketer or growth team, this means a phishing email appearing to come from a known vendor or colleague is now a realistic threat.
How Attackers Are Bypassing Defenses
The most significant tactical shift documented in the report is away from traditional file-based malware. The report highlights a shift in attacker tactics, with threat actors moving from file-based payloads to URL-based delivery and embedding QR codes in trusted document formats to disguise malicious destinations.
The numbers behind this trend are striking. Around 70% of malicious PDFs analyzed contained QR codes leading to phishing pages, while more than 10% of HTML attachments were identified as malicious.
Even though only about one in every 200 links is malicious, the threat remains persistent and serious: cybercriminals use these links for phishing, impersonation, and malware campaigns, often making them look legitimate enough to slip past traditional security filters.
Phishing-as-a-Service Is Lowering the Barrier to Attack
A key driver behind the volume increase is phishing-as-a-service (PhaaS), a criminal subscription model that is changing who can launch a phishing campaign. PhaaS is a criminal subscription model that provides phishing templates, fake login pages, hosting, and automation that make credential phishing easier to launch and scale.
According to Barracuda, 90% of high-volume phishing campaigns now use phishing-as-a-service kits. This means attackers no longer need technical expertise to run convincing campaigns. They subscribe, select a target, and deploy.
AI is accelerating this further. AI phishing uses generative AI tools to craft convincing, personalized messages at scale, making it far harder to detect than traditional phishing attacks. The traditional warning signs, poor grammar, generic greetings, suspicious-looking sender names, are no longer reliable. Attackers can generate highly personalized emails referencing real names, departments, recent events, or internal jargon pulled from publicly available information, and what used to take hours now takes seconds.
Also notable is that adversary-in-the-middle-style kits raise risk even in MFA environments by intercepting sessions in real time. Authentication protocols alone are not enough.
What This Means for Email Marketers and Business Owners
For businesses running email marketing campaigns, the indirect consequences of this threat landscape are already playing out at the inbox level.
Audiences are on high alert, thanks to a constant barrage of spam and sophisticated phishing attempts, which means legitimate marketing emails are often met with suspicion. Research from Mailjet shows that 53% of consumers have received a legitimate email from a brand that they initially thought was fraudulent.
A particularly frustrating paradox has emerged: while legitimate business communications face unprecedented rejection rates, sophisticated phishing attacks continue bypassing filters at escalating rates through AI integration.
Even though only about one in every 200 links is malicious, the threat remains persistent and serious: cybercriminals use these links for phishing, impersonation, and malware campaigns, often making them look legitimate enough to slip past traditional security filters.
Phishing-as-a-Service Is Lowering the Barrier to Attack
A key driver behind the volume increase is phishing-as-a-service (PhaaS), a criminal subscription model that is changing who can launch a phishing campaign. PhaaS is a criminal subscription model that provides phishing templates, fake login pages, hosting, and automation that make credential phishing easier to launch and scale.
According to Barracuda, 90% of high-volume phishing campaigns now use phishing-as-a-service kits. This means attackers no longer need technical expertise to run convincing campaigns. They subscribe, select a target, and deploy.
AI is accelerating this further. AI phishing uses generative AI tools to craft convincing, personalized messages at scale, making it far harder to detect than traditional phishing attacks. The traditional warning signs, poor grammar, generic greetings, suspicious-looking sender names, are no longer reliable. Attackers can generate highly personalized emails referencing real names, departments, recent events, or internal jargon pulled from publicly available information, and what used to take hours now takes seconds.
Also notable is that adversary-in-the-middle-style kits raise risk even in MFA environments by intercepting sessions in real time. Authentication protocols alone are not enough.
What This Means for Email Marketers and Business Owners
For businesses running email marketing campaigns, the indirect consequences of this threat landscape are already playing out at the inbox level.
Audiences are on high alert, thanks to a constant barrage of spam and sophisticated phishing attempts, which means legitimate marketing emails are often met with suspicion. Research from Mailjet shows that 53% of consumers have received a legitimate email from a brand that they initially thought was fraudulent.
A particularly frustrating paradox has emerged: while legitimate business communications face unprecedented rejection rates, sophisticated phishing attacks continue bypassing filters at escalating rates through AI integration.
The authentication environment has also tightened significantly. Analysis reveals 85.7% of domains do not enforce DMARC with a quarantine or reject policy, leaving them vulnerable to spoofing and deliverability issues, which also impacts inbox placement as ISPs increasingly prioritize authenticated senders. If your domain lacks enforced DMARC, it is exposed to both impersonation attacks and inbox penalties.
The authentication environment has also tightened significantly. Analysis reveals 85.7% of domains do not enforce DMARC with a quarantine or reject policy, leaving them vulnerable to spoofing and deliverability issues, which also impacts inbox placement as ISPs increasingly prioritize authenticated senders. If your domain lacks enforced DMARC, it is exposed to both impersonation attacks and inbox penalties.
What the Report Recommends
Merium Khalid, Director of SOC Offensive Security at Barracuda, framed the stakes clearly in the report:
"Email is no longer just a communication channel. It's the front line of identity, trust, and business continuity."
Email security must be paired with identity and endpoint controls to reduce account takeover and lateral movement. The full Barracuda 2026 Email Threats Report identifies several practical steps:
Expand inspection beyond attachments. Increase scrutiny of embedded links and QR codes in documents and messages.
Harden identity security. Enforce MFA where possible, monitor for suspicious sign-ins, and tighten access policies to limit the impact of stolen credentials.
Automate detection and response. Automate detection and response to quarantine suspicious messages quickly and reduce dwell time when attacks slip through.
Audit configurations regularly. Organizations should regularly audit email security configurations to ensure protections are enabled, policies are aligned with current threat trends, and exceptions are still justified, including reviewing authentication settings, attachment and link inspection policies, and automated response workflows.
For marketing and growth teams specifically, the takeaway is clear: strong SPF, DKIM, and DMARC configuration is now both a security requirement and a deliverability requirement. In a world of phishing, spoofing, and rising user skepticism, authenticated identity becomes a core element of brand trust, not just a technical specification. Teams that treat email authentication as a marketing asset, not just an IT checklist, will hold a measurable advantage in inbox placement and audience trust in 2026.
No comments yet. Be the first!
What the Report Recommends
Merium Khalid, Director of SOC Offensive Security at Barracuda, framed the stakes clearly in the report:
"Email is no longer just a communication channel. It's the front line of identity, trust, and business continuity."
Email security must be paired with identity and endpoint controls to reduce account takeover and lateral movement. The full Barracuda 2026 Email Threats Report identifies several practical steps:
Expand inspection beyond attachments. Increase scrutiny of embedded links and QR codes in documents and messages.
Harden identity security. Enforce MFA where possible, monitor for suspicious sign-ins, and tighten access policies to limit the impact of stolen credentials.
Automate detection and response. Automate detection and response to quarantine suspicious messages quickly and reduce dwell time when attacks slip through.
Audit configurations regularly. Organizations should regularly audit email security configurations to ensure protections are enabled, policies are aligned with current threat trends, and exceptions are still justified, including reviewing authentication settings, attachment and link inspection policies, and automated response workflows.
For marketing and growth teams specifically, the takeaway is clear: strong SPF, DKIM, and DMARC configuration is now both a security requirement and a deliverability requirement. In a world of phishing, spoofing, and rising user skepticism, authenticated identity becomes a core element of brand trust, not just a technical specification. Teams that treat email authentication as a marketing asset, not just an IT checklist, will hold a measurable advantage in inbox placement and audience trust in 2026.