Microsoft flagged 8.3 billion phishing emails in just three months. But the bigger warning is how those attacks are changing.
According to Microsoft, phishing campaigns are increasingly using QR codes, fake CAPTCHA pages, file-based payloads, and legitimate platforms to avoid traditional email defenses. The shift gives attackers more ways to hide malicious links, slow automated analysis, and scale campaigns with fewer technical skills.
For security teams, the takeaway is blunt: phishing is no longer just an inbox problem. It is becoming a modular attack chain that can move across email, websites, cloud services, and human trust before the final payload appears.
Phishing-as-a-Service is commercializing email attacks
Threat actors are no longer operating on a small scale. Phishing attacks are increasingly being executed as packaged services and then reused across multiple campaigns.
One of the biggest examples is Tycoon2FA, a phishing-as-a-service platform Microsoft said has been linked to the Storm-1747 threat group. The platform sells or leases phishing kits that help attackers launch campaigns without having to build their own infrastructure from scratch.
Microsoft said activity tied to Tycoon2FA fell 15% in March after Europol and its partners disrupted parts of its infrastructure earlier that month. But that drop does not mean the threat is gone. Microsoft’s findings suggest Tycoon2FA-style tactics are spreading across other kits and operators.
Ending option
The practical takeaway for security teams is that phishing defenses can no longer stop at the mailbox. Organizations need user training, link and attachment protection, endpoint controls, and current threat intelligence to work together, because attackers are already chaining those weak points.
Phishing campaigns are combining CAPTCHA checks with file-based payloads
The Microsoft report shows active experimentation with payload delivery methods. This is especially true in March, when two months of decline in CAPTCHA-based attacks suddenly exploded to 11.9 million cases.
PDF-based payloads still topped the charts as the most-used delivery method. In March, PDF-delivered malware gated by fake CAPTCHA sites rose by 356%. It is followed by HTML-delivered payloads. Next on that list are DOC/DOCX-delivered payloads, which spiked fivefold in March, accounting for 15% of all payloads gated with a fake CAPTCHA.
SVG-delivered payloads rose in February after months of decline, then fell again in March. Email-embedded URLs followed a different path: they once dominated the role now held by PDFs and saw a renewed spike in March.
A closer look at CAPTCHA-based attacks tells a silent story: even with activities generally peaking in March, the dominance of Tycoon2FA as a reliable hacking source weakened. What once hosted three-thirds of these CAPTCHA-based attacks by the end of 2025 was, by the end of March, hosting just 41%.
While that sounds good, the broader numbers indicate a worrisome pattern. The toolkits originally obtained from Tycoon2FA are now being replicated across multiple kits and operators, resulting in the spike recorded in March.
Must-read security coverage
Staying safe in a rapidly evolving phishing landscape
Mitigating these threats requires a combined strategy of human efforts and layered defenses.
Since phishing remains the most widely used attack vector, it is necessary to start with the very thing security tools can’t protect against: human vulnerability.
The use of Business Email Compromise (BEC) attacks, which totaled 10.7 million attacks in Q1 alone, excels at targeting human weaknesses. The report reveals that conversational messages like “Are you at your desk?” had significant success rates, and “accounted for 82–84% of initial contact emails each month.”
Human curiosity and promises of monetary rewards also contributed to the consistent rise of BEC scams. Awareness training, email best practices, and organizational policies are strategies that can help reduce the success rates of attacks targeting human weaknesses.
However, attackers are not only targeting human weaknesses. They’ve adopted a layered approach to their attacks, with each campaign embedded with detection-bypass techniques tailored to different stages of security detection. As a result, organizations too must respond with layered security measures to meet them at each stage of their attempts to circumvent detection.
Microsoft recommends that businesses using email systems turn on Safe Links, password-less authentication, Safe Attachments, and network protection across endpoints. It also recommends using SmartScreen to block malicious websites and using tools like Microsoft Defender 365.
Security teams are also advised to regularly review threat intelligence reports to stay informed about the latest changes that can affect their organizations.
For more on urgent browser risks, Google recently patched 30 Chrome vulnerabilities, including four critical flaws that could allow attackers to take control of systems, underscoring the need to update immediately.
Read the full article here
