India, May, 2026 — Barracuda Networks, Inc., a leading global cybersecurity company providing complete cyber resilience made easy to buy, deploy and use for all size business, today released the 2026 Email Threats Report. New findings from Barracuda Research, the threat intelligence arm of Barracuda, show that AI‑driven social engineering and phishing‑as‑a‑service are accelerating both the volume and effectiveness of email attacks, enabling adversaries to scale credential‑phishing operations and increase the success rate of targeted campaigns.
The report also highlights a shift in attacker tactics, with threat actors moving from file‑based payloads to URL‑based delivery and embedding QR codes in trusted document formats to disguise malicious destinations. Attackers are further exploiting account takeover techniques to bypass traditional defenses and deliver highly convincing messages from compromised inboxes, underscoring the need for integrated, multilayered email protection.
Based on global telemetry collected in January 2026, Barracuda Research analyzed more than 3.1 billion emails, looking at malicious, spam or otherwise unwanted emails to quantify these trends and assess their impact on organizations worldwide. Findings include:
- 1 in 3 email messages are malicious or unwanted spam
- 48% of malicious email activity is phishing
- 34% of companies experience at least one account takeover incident every month
- More than 10% of HTML attachments are malicious
- 70% of malicious PDFs contain QR codes leading to phishing websites
- 90% of high-volume phishing campaigns used phishing-as-a-service kits
“Email is no longer just a communication channel — it’s the front line of identity, trust and business continuity,” said Merium Khalid, Director of SOC Offensive Security, Office of the CTO, Barracuda. “As attackers industrialize phishing with AI and phishing‑as‑a‑service, the future of defense must evolve just as quickly. Organizations that stay ahead will prioritize integrated email security layered with identity protection and automated response as part of a broader, resilience-driven strategy. When prevention, rapid detection and automated incident response work together, businesses can reduce risk, limit the impact of account compromise and maintain continuity even as threats accelerate.”
