Email used to be the digital handshake. In 2026, it has become something far more dangerous: the front line of identity, trust, and business continuity.
Barracuda’s 2026 Email Threats Report paints a stark picture of how quickly adversaries are evolving—fuelled by AI-driven social engineering and phishing-as-a-service.
The headline shift is scale and success. Using global telemetry collected in January 2026, Barracuda Research analysed more than 3.1 billion emails and found that one in three messages are malicious or unwanted spam.
Even more concerning, 48% of malicious email activity is phishing—and phishing is increasingly engineered to land, not merely to lure. Attackers are turning to industrialised techniques that make targeted campaigns harder to block with static rules and traditional filters.
The delivery methods are changing too. Rather than relying primarily on obvious, file-based payloads, threat actors are moving towards stealthier approaches designed to slip past conventional controls.
The report highlights URL-based payloads, QR-code-embedded documents disguised inside formats that users already trust, and account takeover techniques that can bypass defences by presenting messages from compromised inboxes—messages that look internal, familiar, and urgent.
That urgency is backed by monthly compromise pressure. Barracuda reports that 34% of companies experience at least one account takeover incident every month. In parallel, the threat surface is widening: more than 10% of HTML attachments are malicious, while 70% of malicious PDFs contain QR codes leading to phishing websites.
And for those attackers running high-volume operations, the report notes that 90% of high-volume phishing campaigns used phishing-as-a-service kits—meaning the “craft” is less artisanal and more automated.
Merium Khalid, director of SOC Offensive Security at Barracuda, captured the defence challenge in plain terms:
“Email is no longer just a communication channel — it’s the front line of identity, trust and business continuity.” Merium Khalid
Prevention alone is no longer enough. To cope with fast-moving threats, organisations need rapid detection, automated response, and identity-focused controls that reduce the blast radius when credentials or inboxes are compromised.
