New findings from Barracuda Research, the threat intelligence arm of Barracuda, show that AI‑driven social engineering and phishing as a service (PhaaS) are accelerating both the volume and effectiveness of email attacks, enabling adversaries to scale credential‑phishing operations and increase the success rate of targeted campaigns.
The report also highlights a shift in attacker tactics, with threat actors moving from file‑based payloads to URL‑based delivery and embedding QR codes in trusted document formats to disguise malicious destinations.
According to Barracuda, attackers are further exploiting account takeover techniques to bypass traditional defenses and deliver highly convincing messages from compromised inboxes, underscoring the need for integrated, multilayered email protection.
Based on global telemetry collected in January 2026, Barracuda Research analyzed more than 3.1 billion emails, looking at malicious, spam or otherwise unwanted emails to quantify these trends and assess their impact on organizations worldwide.
Key findings include:
- 1 in 3 email messages are malicious or unwanted spam
- 48 percent of malicious email activity is phishing
- 34 percent of companies experience at least one account takeover incident every month
- More than 10% of HTML attachments are malicious
- 70 percent of malicious PDFs contain QR codes leading to phishing websites
- 90 percent of high-volume phishing campaigns used phishing-as-a-service kits
“Email is no longer just a communication channel — it’s the front line of identity, trust and business continuity,” said Merium Khalid, Director of SOC Offensive Security, Office of the CTO, Barracuda. “As attackers industrialize phishing with AI and phishing‑as‑a‑service, the future of defense must evolve just as quickly. Organizations that stay ahead will prioritize integrated email security layered with identity protection and automated response as part of a broader, resilience-driven strategy. When prevention, rapid detection and automated incident response work together, businesses can reduce risk, limit the impact of account compromise and maintain continuity even as threats accelerate.”
