Cybercriminals are now routinely clearing every email authentication hurdle and delivering attacks anyway. VIPRE Security Group's newly published Q1 2026 Email Threat Trends Report found that 84% of malspam emails used link-based delivery, while callback phishing campaigns were sent from authenticated Microsoft infrastructure, passing SPF, DKIM, and DMARC checks without triggering a single flag.
Released on April 23, 2026, the VIPRE report is based on analysis of 1.8 billion emails processed in the first quarter of 2026 and documents how attackers are exploiting legitimate platforms, systems, and ecosystems to slide past conventional defenses. The findings carry a clear message for any business that relies on email: proper authentication is necessary, but it is no longer sufficient.
Authentication Passes, Attacks Succeed
The report's most significant finding for email marketers and growth teams is how thoroughly attackers have learned to work around the authentication stack that most organizations treat as a security baseline.
Callback phishing campaigns identified in Q1 were sent from authenticated Microsoft infrastructure and passed SPF, DKIM, and DMARC checks. In those campaigns, Microsoft accounted for 41% of spoofed brands, followed by PayPal at 17% and Geek Squad at 15%.
This matters because SPF, DKIM, and DMARC are the same protocols major inbox providers now require for bulk senders. These three standards help authenticate email senders by verifying that emails came from the domain they claim to be from, and are important for preventing spam, phishing, and other email security risks. The problem is that authentication only verifies the sending source, not the content or intent behind the message.
Cybercriminals are now routinely clearing every email authentication hurdle and delivering attacks anyway. VIPRE Security Group's newly published Q1 2026 Email Threat Trends Report found that 84% of malspam emails used link-based delivery, while callback phishing campaigns were sent from authenticated Microsoft infrastructure, passing SPF, DKIM, and DMARC checks without triggering a single flag.
Released on April 23, 2026, the VIPRE report is based on analysis of 1.8 billion emails processed in the first quarter of 2026 and documents how attackers are exploiting legitimate platforms, systems, and ecosystems to slide past conventional defenses. The findings carry a clear message for any business that relies on email: proper authentication is necessary, but it is no longer sufficient.
Authentication Passes, Attacks Succeed
The report's most significant finding for email marketers and growth teams is how thoroughly attackers have learned to work around the authentication stack that most organizations treat as a security baseline.
Callback phishing campaigns identified in Q1 were sent from authenticated Microsoft infrastructure and passed SPF, DKIM, and DMARC checks. In those campaigns, Microsoft accounted for 41% of spoofed brands, followed by PayPal at 17% and Geek Squad at 15%.
This matters because SPF, DKIM, and DMARC are the same protocols major inbox providers now require for bulk senders. These three standards help authenticate email senders by verifying that emails came from the domain they claim to be from, and are important for preventing spam, phishing, and other email security risks. The problem is that authentication only verifies the sending source, not the content or intent behind the message.
As IRONSCALES research put it plainly: "Authentication is necessary. It is not sufficient. When attackers can rent, register, or abuse platforms that send fully authenticated mail, SPF, DKIM, and DMARC become table stakes, not finish lines."
Open Redirects and Trusted Platforms as Cover
Attackers in Q1 2026 favored "open redirects" that begin with a legitimate domain and then route to a malicious site via a trailing parameter. Abused URLs accounted for over 89% of phishing URLs in the quarter.
Cloudflare was identified as one of the services used to mask phishing links, with attackers exploiting the platform's CAPTCHA and bot-protection systems to prevent automated scanners from reaching the final landing pages behind malicious messages.
One example highlighted in the report involved misuse of TestFlight, Apple's beta app testing platform. Attackers distributed malware through beta-channel applications and then sent users emails containing TestFlight links, relying on the service's reputation to improve inbox delivery.
Newly registered domains also declined in prominence during the quarter. VIPRE attributed the shift to more effective domain scanning by security tools, which appears to be pushing attackers toward reputable and familiar web addresses that attract less suspicion. This is a direct behavioral response to improving defenses: as one door closes, attackers walk through a more trusted one.
What the Attack Breakdown Looks Like
During Q1 2026, embedded links appeared in 50.59% of phishing emails, while 26.69% included attachments, 19.17% used callback schemes, and 3.55% relied on QR code-based phishing.
On the attachment front, PDF files continued to dominate malicious attachments at 63% of the total, with cybercriminals increasingly inserting QR codes into those PDFs to evade standard URL and text-based scanning methods. EML files were also on the rise, appearing in 13.15% of cases, with threat actors attaching entire emails to mimic the format of genuine internal conversations and bypass secure email gateways.
BEC Tactics Are Shifting Too
Business email compromise (BEC) patterns changed notably in Q1. CEO impersonation dropped from 73% of BEC attempts in Q1 2025 to 54% in Q1 2026, a shift that suggests attackers are mimicking more realistic communication behaviors, since executives typically work through a chain of command rather than reaching out directly.
English remained the primary language for BEC attacks at 88%, but Swedish moved into second place, ahead of Spanish. VIPRE pointed to Nordic countries' high per capita income, cashless payment adoption, and elevated public trust as factors making the region an attractive target.
What This Means for Your Email Program
As IRONSCALES research put it plainly: "Authentication is necessary. It is not sufficient. When attackers can rent, register, or abuse platforms that send fully authenticated mail, SPF, DKIM, and DMARC become table stakes, not finish lines."
Open Redirects and Trusted Platforms as Cover
Attackers in Q1 2026 favored "open redirects" that begin with a legitimate domain and then route to a malicious site via a trailing parameter. Abused URLs accounted for over 89% of phishing URLs in the quarter.
Cloudflare was identified as one of the services used to mask phishing links, with attackers exploiting the platform's CAPTCHA and bot-protection systems to prevent automated scanners from reaching the final landing pages behind malicious messages.
One example highlighted in the report involved misuse of TestFlight, Apple's beta app testing platform. Attackers distributed malware through beta-channel applications and then sent users emails containing TestFlight links, relying on the service's reputation to improve inbox delivery.
Newly registered domains also declined in prominence during the quarter. VIPRE attributed the shift to more effective domain scanning by security tools, which appears to be pushing attackers toward reputable and familiar web addresses that attract less suspicion. This is a direct behavioral response to improving defenses: as one door closes, attackers walk through a more trusted one.
What the Attack Breakdown Looks Like
During Q1 2026, embedded links appeared in 50.59% of phishing emails, while 26.69% included attachments, 19.17% used callback schemes, and 3.55% relied on QR code-based phishing.
On the attachment front, PDF files continued to dominate malicious attachments at 63% of the total, with cybercriminals increasingly inserting QR codes into those PDFs to evade standard URL and text-based scanning methods. EML files were also on the rise, appearing in 13.15% of cases, with threat actors attaching entire emails to mimic the format of genuine internal conversations and bypass secure email gateways.
BEC Tactics Are Shifting Too
Business email compromise (BEC) patterns changed notably in Q1. CEO impersonation dropped from 73% of BEC attempts in Q1 2025 to 54% in Q1 2026, a shift that suggests attackers are mimicking more realistic communication behaviors, since executives typically work through a chain of command rather than reaching out directly.
English remained the primary language for BEC attacks at 88%, but Swedish moved into second place, ahead of Spanish. VIPRE pointed to Nordic countries' high per capita income, cashless payment adoption, and elevated public trust as factors making the region an attractive target.
What This Means for Your Email Program
For business owners and marketers, the Q1 2026 data reinforces a point that gets underweighted in standard email security checklists: your authentication setup protects your domain's reputation and deliverability, but it does not protect your audience from attacks that route through legitimate infrastructure.
Email remains one of the primary entry points for cyberattacks, and Verizon's 2025 Data Breach Investigations Report shows that most breaches still involve a human element, such as account credentials stolen through phishing. That human element is exactly what these authenticated, platform-abusing campaigns target.
A few concrete steps worth prioritizing:
Audit every platform that sends email on behalf of your domain. This includes obvious systems like marketing platforms, as well as less visible ones like HR tools or finance applications.
Train your audience and team to treat urgency-driven email requests with skepticism, regardless of the sending domain or brand.
Monitor DMARC reports actively. DMARC provides visibility through aggregate and forensic reports, showing who is sending email using your domain and whether those messages are passing authentication. That data reveals unauthorized use of your brand before your customers do.
Go beyond header trust. Behavioral sender analysis over header trust, including first-time sender detection, sender-recipient relationship mapping, and domain-age signals, catches what authentication cannot.
"Attackers are boldly using sophisticated techniques to evade detection alongside resorting to emotional triggers to manipulate and breach trust," said Usman Choudhary, General Manager of VIPRE Security Group. "Organisations must strengthen email defenses and rethink how trust is established across every channel."
As of March 2026, only 10.7% of domains have full DMARC protection with a strict reject policy at 100% enforcement, while 70.9% of domains have no effective DMARC protection at all. If your domain is in that majority, the Q1 2026 data is a practical reminder of the exposure that gap creates, for your deliverability and for anyone who receives email that claims to come from you.
No comments yet. Be the first!
For business owners and marketers, the Q1 2026 data reinforces a point that gets underweighted in standard email security checklists: your authentication setup protects your domain's reputation and deliverability, but it does not protect your audience from attacks that route through legitimate infrastructure.
Email remains one of the primary entry points for cyberattacks, and Verizon's 2025 Data Breach Investigations Report shows that most breaches still involve a human element, such as account credentials stolen through phishing. That human element is exactly what these authenticated, platform-abusing campaigns target.
A few concrete steps worth prioritizing:
Audit every platform that sends email on behalf of your domain. This includes obvious systems like marketing platforms, as well as less visible ones like HR tools or finance applications.
Train your audience and team to treat urgency-driven email requests with skepticism, regardless of the sending domain or brand.
Monitor DMARC reports actively. DMARC provides visibility through aggregate and forensic reports, showing who is sending email using your domain and whether those messages are passing authentication. That data reveals unauthorized use of your brand before your customers do.
Go beyond header trust. Behavioral sender analysis over header trust, including first-time sender detection, sender-recipient relationship mapping, and domain-age signals, catches what authentication cannot.
"Attackers are boldly using sophisticated techniques to evade detection alongside resorting to emotional triggers to manipulate and breach trust," said Usman Choudhary, General Manager of VIPRE Security Group. "Organisations must strengthen email defenses and rethink how trust is established across every channel."
As of March 2026, only 10.7% of domains have full DMARC protection with a strict reject policy at 100% enforcement, while 70.9% of domains have no effective DMARC protection at all. If your domain is in that majority, the Q1 2026 data is a practical reminder of the exposure that gap creates, for your deliverability and for anyone who receives email that claims to come from you.