Barracuda Networks has released the 2026 Email Threat Report. New findings from Barracuda Research, Barracuda’s threat intelligence division, show that AI-powered social engineering and phishing-as-a-service are accelerating both the volume and effectiveness of email attacks, allowing adversaries to scale credential phishing operations and increase the success rate of targeted campaigns.

The Barracuda report also highlights a shift in attacker tactics, which are moving from using file-based payloads to distribution via URLs and embedding QR codes in trusted document formats to conceal malicious destinations. Additionally, attackers are increasingly leveraging account takeover techniques to bypass traditional defenses and send highly convincing messages from compromised email inboxes, highlighting the need for integrated, multi-layered email protection.

Using global telemetry data collected in January 2026, Barracuda Research analyzed more than 3.1 billion emails, focusing on malicious, spam, or unwanted messages, to quantify these trends and assess their impact on organizations around the world.

Conclusions include:

  • 1 in 3 email messages is malicious or unwanted spam.
  • 34% of companies experience at least one incident of account takeover every month.
  • More than 10% of HTML attachments are malicious.
  • 70% of malicious PDF files contain QR codes that lead to phishing websites.
  • 90% of high-volume phishing campaigns used phishing kits as a service.

AI-powered social engineering and phishing accelerate both the volume and effectiveness of email attacks

“Email is no longer just a communication channel: it is the first line of defense for identity, trust and business continuity,” said Merium Khalid, SOC Offensive Security Director, Office of the CTO, Barracuda. “As attackers industrialize phishing through artificial intelligence and phishing as a service, the future of defense must evolve just as quickly. Organizations that stay ahead of the curve will prioritize integrated email security, combined with identity protection and automated response, as part of a broader resilience-driven strategy. When prevention, rapid detection, and automated incident response work together, organizations can reduce risk, limit the impact of account compromise, and maintain continuity. even as threats intensify.”

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.