Barracuda 2026 Email Threats Report: AI and Phishing-as-a-Service

Email remains the most exploited attack surface in enterprise environments. In 2026, the threat landscape has evolved significantly: attackers are no longer relying on crude spam campaigns but are leveraging AI-driven social engineering and industrialized phishing-as-a-service platforms to scale credential theft, bypass defenses, and compromise accounts at unprecedented speed. Barracuda Networks has published its 2026 Email Threats Report, providing data-backed insight into how these shifts are affecting organizations worldwide.

What was announced

On May 12, 2026, Barracuda Networks released the 2026 Email Threats Report, based on analysis of more than 3.1 billion emails collected from global telemetry in January 2026. The report identifies AI-powered social engineering and phishing-as-a-service (PhaaS) as the primary accelerants behind growing email attack volumes and higher campaign success rates. Key statistics from the report include:

• 1 in 3 emails analyzed were malicious or unwanted spam.
• 48% of malicious email activity is classified as phishing.
• 34% of companies experience at least one account takeover incident every month.
• More than 10% of HTML attachments are malicious.
• 70% of malicious PDFs contain QR codes linking to phishing websites.
• 90% of high-volume phishing campaigns used phishing-as-a-service kits.

The report also documents a strategic shift in attacker delivery methods: threat actors are moving away from file-based payloads toward URL-based delivery, and embedding QR codes inside trusted document formats such as PDFs to disguise malicious destinations. Account takeover (ATO) techniques are increasingly used to send convincing phishing messages from legitimate, compromised inboxes — a method that defeats many traditional email filters.

Why this matters

For CISOs, IT directors, and procurement leaders, this report signals a structural change in the email threat environment rather than a temporary spike. The industrialization of phishing through PhaaS kits means that even low-skill threat actors can now run highly targeted, high-volume campaigns. AI amplifies this further by generating convincing, personalized content at scale.

The shift to URL-based payloads and QR-code-embedded documents is a direct response to the widespread adoption of attachment scanning. Attackers adapt to defenses, and organizations that rely solely on perimeter-based or signature-based email security will face increasing exposure. The 34% monthly account takeover rate is particularly significant: once an account is compromised, attackers gain a trusted identity, making downstream attacks far more difficult to detect.

These trends reinforce the business case for integrated, multilayered email protection as part of a broader cyber resilience strategy — one that covers prevention, rapid detection, and automated incident response simultaneously.

Email is no longer just a communication channel — it is the front line of identity, trust and business continuity. As attackers industrialize phishing with AI and phishing-as-a-service, the future of defense must evolve just as quickly. Organizations that stay ahead will prioritize integrated email security layered with identity protection and automated response as part of a broader, resilience-driven strategy.

Technical details

• AI-driven social engineering: Generative AI enables attackers to craft highly personalized phishing messages at scale, increasing open and click-through rates on malicious emails.
• Phishing-as-a-Service (PhaaS): Ready-made kits lower the barrier to entry for attackers, enabling credential-phishing operations to scale rapidly; 90% of high-volume campaigns leveraged these kits.
• URL-based payload delivery: Attackers are shifting from file attachments to embedded URLs, evading attachment-based scanning solutions.
• QR codes in PDF documents: 70% of malicious PDFs now contain QR codes that redirect users to phishing sites, bypassing text-based content filters.
• HTML attachment abuse: Over 10% of HTML attachments analyzed were malicious, often used to redirect victims or execute client-side phishing logic.
• Account Takeover (ATO): 34% of organizations face at least one ATO incident monthly; compromised accounts are used to send trusted-looking phishing messages that bypass standard filters.
• Multilayered protection requirement: The report emphasizes that integrated email protection — combining prevention, detection, identity protection, and automated incident response — is essential to address these converging threats.

Softprom and Barracuda Networks

Softprom is the official distributor of Barracuda Networks. As a distributor, Softprom enables organizations to access the full Barracuda portfolio, including Barracuda Email Protection and Account Takeover Protection, with professional pre-sales consultation and deployment support.

This content was prepared as part of the Softprom DistriFlow project — an automated system for monitoring and adapting vendor news. Original source: original article.