How AI and phishing-as-a-service are changing the email threat landscape

Insights from Barracuda’s 2026 Email Threats Report

Takeaways

• Email threats are increasingly focused on deception and identity compromise, with phishing representing nearly half of malicious email activity.
• Attackers are shifting away from traditional file-based malware toward URLs, QR codes and HTML, where threats can be harder to spot and block.
• Account takeover is a recurring risk for many organizations, raising the likelihood of fraud, data exposure and business disruption.
• Phishing-as-a-service is industrializing attacks, enabling high-volume campaigns that are easier for criminals to launch and iterate.
• Effective defense increasingly requires layered email security plus identity protection, backed by fast detection and automated response.

Email attacks are evolving faster than ever, and Barracuda’s 2026 Email Threats Report sheds light on why organizations need to rethink their approach to email security. Attackers are harnessing artificial intelligence (AI) and phishing-as-a-service platforms to increase both the scale and sophistication of their campaigns, making email a prime target for identity theft and business disruption.

According to analysis by Barracuda Research, the threat intelligence arm of Barracuda, of over 3.1 billion emails in January 2026, one in three email messages is either malicious or unwanted spam, and nearly half of all malicious activity comes from phishing attacks. Cybercriminals are getting smarter, shifting away from traditional file-based payloads and instead using stealthier delivery methods like URL-based attacks, QR code-embedded documents and account takeover. These tactics are designed to bypass conventional defenses, making it increasingly difficult for organizations to detect threats before damage occurs.

What are the top takeaways from Barracuda’s 2026 Email Threats Report?

Key statistics from the report — and what they signal for defenders — include:

• 48% of malicious email activity is phishing, reinforcing the need to prioritize anti-impersonation controls and identity-focused defenses.
• 34% of companies report at least one account takeover incident every month, making fast detection and response to compromised accounts essential.
• More than 10% of HTML attachments are malicious, highlighting the need to inspect and control HTML-based content, not just traditional file types.
• 70% of malicious PDFs contain QR codes that lead to phishing websites, so QR code scanning and link protection should be treated as core email defenses.
• 90% of high-volume phishing campaigns use phishing-as-a-service kits. Attackers can scale quickly, making automation and layered controls critical.

These findings underscore that email attacks are not only increasing in frequency but also in complexity. As Merium Khalid, Director of SOC Offensive Security, Office of the CTO at Barracuda, points out, “Email is no longer just a communication channel — it’s the front line for identity, trust and business continuity.”

To defend against evolving threats, organizations need to prioritize integrated email security layered with identity protection and automated response as part of a broader, resilience-driven strategy.

Rapid detection, prevention and automated response are now essential components of any cyber resilience strategy. By combining these elements, businesses can lower risk, limit the impact of account compromise and maintain operational continuity—even as threats become faster and more industrialized. The future of email security demands resilience, integration and automation.

What should organizations do next to reduce phishing and account takeover risk?

• Reduce phishing success with stronger user verification, anti-impersonation controls and continuous awareness tailored to current tactics (URLs, QR codes and HTML lures).
• Harden identity security by enforcing MFA where possible, monitoring for suspicious sign-ins and tightening access policies to limit the impact of stolen credentials.
• Expand inspection beyond attachments by increasing scrutiny of embedded links and QR codes in documents and messages.
• Prepare for account takeover with playbooks that include rapid credential resets, token/session revocation and clear escalation paths.
• Automate detection and response to quarantine suspicious messages quickly and reduce dwell time when attacks slip through.

Want the full breakdown? Check out Barracuda’s 2026 Email Threats Report for the complete findings, data and recommendations, and stay tuned for exciting new email security innovations coming soon.