Commercial spam, link-based malspam, and use of QR code-embedded PDFs are on the rise
LONDON, April 23, 2026 /PRNewswire/ — VIPRE Security Group, a global leader and award-winning cybersecurity, privacy, and data protection company, releases its Q1 2026 Email Threat Trends Report, which finds that cybercriminals are stealing trust by exploiting legitimate sites, systems, and ecosystems to bypass defenses more easily and maximize attack success. Processing 1.8 billion emails in the first quarter of this year, this report highlights the struggles organizations face, signaling areas where they must strengthen email defenses in the coming months.
Commercial spam takes up the lion’s share
Commercial spam forms the majority of spam at 46%, delivered via compromised accounts (33%) and free email services (32%). This illustrates trusted platforms and free services as criminals’ favored attack vectors. Commercial spam wears down users with email fatigue, increasing their chances of being phished, while the technique itself assists cybercrime through misleading subject lines, aggressive language, and act-fast promotions.
Nearly two-thirds of spam came from US-based infrastructure, followed by Ireland and the UK. The US was also the top target of commercial spam at 60%, followed by the UK at 12% and Canada at 6%.
Attackers exploit trusted platforms to deliver link-based phishing at scale
Cybercriminals are increasingly relying on familiar, reputable platforms to carry out their attacks. Phishing made up 25.87% of all spam, with malicious links remaining the weapon of choice.
During the first quarter of 2026, embedded links appeared in 50.59% of phishing emails, while 26.69% included attachments, 19.17% used callback schemes, and 3.55% relied on QR code-based phishing. Microsoft continues to be the top brand targeted for spoofing, and “.com” domains remain the primary infrastructure for sending these attacks.
Furthermore, attackers favor “open redirects” that begin with the legitimate domain and then end with a parameter routing to a malicious site. Abused URLs accounted for over 89% of phishing URLs.
Cybercriminals adapt to detection methods
The manner in which attackers construct and deploy phishing URLs in Q1 shows they are adapting to detection methods. Newly Registered Domains (NRDs) are on the decline. As scanners become more effective at identifying newly created domains, cybercriminals are adapting by relying more on familiar, reputable domains to avoid detection. This shift reinforces their tendency to use proven strategies and exploit established, trustworthy web addresses.
Many cybercriminals leverage Cloudflare to conceal their phishing links. By taking advantage of the platform’s CAPTCHA and bot-protection mechanisms, they prevent security scanners from accessing the actual malicious landing pages. This tactic not only allows more phishing emails to bypass defenses and reach users, but also increases the perceived legitimacy and quality of these emails.
Callback phishing is a continued trend
Callback phishing remains a strong trend. Common tactics include fake invoices, subscription renewals, and account status alerts. Microsoft accounted for 41% of all spoofed brands in callback campaigns, followed by PayPal (17%) and Geek Squad (15%). Runners-up include McAfee, Amazon, Norton, and eBay. Interestingly, to allay suspicion, these callback campaigns were sent from authenticated Microsoft infrastructure, all passing SPF, DKIM, and DMARC checks.
QR code-embedded PDF attachments are rising
PDF files continue to dominate malicious attachments, accounting for 63% of the total. Meanwhile, cybercriminals are increasingly inserting QR codes into these PDFs, allowing them to evade standard URL and text-based scanning methods.
Likewise, attackers are increasingly using images as attachments with JPGs making up 6% and PNGs 4% to bypass text-based detection tools. EML files are also on the rise, with use in 13.15% of cases. By attaching entire emails, threat actors effectively mimic the format of genuine internal email conversations to evade secure email gateways.
Link-based malspam delivery growing
In Q1 2026, 84% of malspam emails used link-based delivery. A noteworthy tactic is the use of TestFlight, Apple’s official platform for testing beta versions before release on the App Store. Cybercriminals distributed malware through seemingly legitimate beta channel applications and then emailed it to users via the TestFlight link. Since TestFlight is typically seen as trustworthy, the emails greenlighted past scanners to land in recipients’ inboxes.
CEO impersonation drops
While the C-suite continues to be the primary impersonation focus for cybercriminals, its popularity dropped from 73% (in Q1 2025) to 54% in Q1 2026. This shift suggests attackers are adjusting to more realistic behaviors – for example, executives follow a chain of command and don’t always reach out directly to the C-suite.
The Swedish language takes second place for BEC
English retains its position as the primary language for business email compromise (BEC), accounting for 88%, but the Swedish language has taken the second spot, beating Spanish. This highlights cybercriminals’ shift to Nordic countries, possibly due to the region’s adoption of cashless payments, established digitalization, high level of public trust, and above-average per capita income compared to the rest of the world.
“Attackers are boldly using sophisticated techniques to evade detection alongside resorting to emotional triggers to manipulate and breach trust,” says Usman Choudhary, General Manager, VIPRE Security Group. “Organizations must strengthen email defenses and rethink how trust is established across every channel to combat these threats. The landscape demands vigilance and a proactive approach to security. There is no room for complacency.”
To read the full report, click here: VIPRE Q1 2026 Email Threat Trends Report
VIPRE leverages its vast understanding of email security to equip businesses with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock assessment of the cybersecurity landscape.
About VIPRE Security Group
VIPRE Security Group, part of Ziff Davis, Inc., is a leading provider of internet security solutions purpose-built to protect businesses, solution providers, and home users from costly and malicious cyber threats. With over 25 years of industry expertise, VIPRE is one of the world’s largest threat intelligence clouds, delivering exceptional protection against today’s most aggressive online threats. Our award-winning software portfolio includes next-generation antivirus endpoint cloud solutions, advanced email security products, along with threat intelligence for real-time malware analysis, and high-quality security awareness training for compliance and risk management. VIPRE solutions deliver an easy-to-use, comprehensive layered defense through cloud-based and server security, with mobile interfaces that enable instant threat response. VIPRE is a proud Advanced Technology Partner of Amazon Web Services, operating globally across North America and Europe.
The group operates under various brands, including VIPRE®, StrongVPN®, IPVanish®, Inspired eLearning®, Livedrive®, and SugarSync®. www.VIPRE.com
View original content:https://www.prnewswire.com/news-releases/attackers-favor-widely-trusted-platforms-while-adapting-to-detection-methods-vipres-q1-2026-email-threat-trends-report-reveals-302750157.html
SOURCE VIPRE Security Group
Technology4 days ago
Coin Market4 days ago
Technology4 days ago
Coin Market2 days ago
Technology5 days ago
Technology5 days ago
Technology4 days ago
Technology5 days ago