Barracuda Networks has released its 2026 Email Threats Report, warning that AI-driven social engineering and phishing-as-a-service are increasing both the volume and success rate of email attacks.
The report is based on global telemetry collected in January 2026, with Barracuda Research analysing more than 3.1 billion emails across malicious, spam and other unwanted messages.
According to the findings, one in three email messages is malicious or unwanted spam, and 48% of malicious email activity is phishing. The report also says 34% of companies experience at least one account takeover incident each month.
Barracuda’s analysis points to changes in delivery methods, including a shift away from file-based payloads towards URL-based delivery. It also found that more than 10% of HTML attachments are malicious and that 70% of malicious PDFs contain QR codes that redirect to phishing websites.
The report links high-volume phishing operations to commoditised tooling, stating that 90% of high-volume phishing campaigns used phishing-as-a-service kits.
“Email is no longer just a communication channel — it’s the front line of identity, trust and business continuity,” said Merium Khalid, Director of SOC Offensive Security, Office of the CTO at Barracuda. “As attackers industrialise phishing with AI and phishing‑as‑a‑service, the future of defense must evolve just as quickly. Organisations that stay ahead will prioritise integrated email security layered with identity protection and automated response as part of a broader, resilience-driven strategy. When prevention, rapid detection and automated incident response work together, businesses can reduce risk, limit the impact of account compromise and maintain continuity even as threats accelerate.”
The report’s release comes as organisations continue to assess how generative AI is affecting the scale and personalisation of social engineering, and as security teams contend with account takeover and QR-code-enabled phishing techniques designed to bypass traditional controls.
The full report is available at https://www.barracuda.com/reports/2026-email-threats-report.
