AI and Criminal Subscription Services Are Making Email the Most Dangerous Place in Business
Every day, billions of emails crisscross the internet. And according to Barracuda’s 2026 Email Threats Report, a staggering one in three of those messages is either malicious or unwanted spam — up sharply from one in four just last year. In January 2026, Barracuda Research analyzed over 3.1 billion emails, and what they found should alarm every executive, IT manager, and employee who has ever clicked a link at work.
Phishing Still Reigns Supreme
Nearly half — 48% — of all malicious email activity is phishing. These aren’t clumsy, poorly written scams anymore. Today’s phishing emails are polished, personalized, and often indistinguishable from legitimate business communications. Attackers impersonate trusted brands like Microsoft, DocuSign, and SharePoint, luring employees into surrendering login credentials that can unlock entire corporate networks.
The Rise of “Crime-as-a-Subscription”
Perhaps the report’s most alarming revelation is the explosion of Phishing-as-a-Service (PhaaS). In this criminal business model, would-be hackers subscribe to ready-made attack toolkits, complete with fake login pages, automation, and hosting. A dramatic 90% of high-volume phishing campaigns in 2025 used PhaaS kits — a massive jump from just 30% in 2024. The barrier to entry for launching a sophisticated cyberattack has essentially collapsed. Even technically unskilled criminals can now run large-scale campaigns targeting thousands of victims simultaneously.
Many of these kits also come with MFA bypass tools, meaning that two-factor authentication — long considered a gold-standard defense — is no longer enough on its own.
Your Files Are Being Weaponized
Attachments remain a favored attack vehicle, but the methods have grown more cunning. More than 10% of all HTML attachments are malicious — the most weaponized file type by a wide margin. When opened, these files render in a browser and silently redirect users to credential-harvesting websites.
Even more concerning: 70% of malicious PDFs now contain QR codes leading to phishing websites. By embedding a QR code inside a trusted-looking document, attackers shift the attack to a victim’s mobile phone — a device that typically sits outside a company’s security perimeter and monitoring systems.
One-Third of Companies Get Hacked Every Month
Account takeover — where attackers gain access to a real employee’s email account and operate from within — is no longer a rare event. 34% of companies experience at least one account takeover incident every month. Once inside, attackers don’t just steal data. They quietly manipulate inbox rules, forward sensitive emails externally, and launch phishing attacks from within, using the victim’s own trusted identity. A quarter of account takeover incidents involved suspicious changes to inbox rules, a subtle tactic that helps attackers remain hidden for extended periods.
Links Are the New Weapon of Choice
As companies have improved their attachment scanning, attackers have adapted. Barracuda Research has identified a marked increase in URL-based attacks over direct file attachments. Criminals now host malicious content on reputable platforms like SharePoint and Google Drive, making links appear legitimate. They even program links to appear harmless during security scans and only activate once an email reaches a real inbox.
What Businesses Must Do Now
The report’s prescription is clear: layered defense is no longer optional. Organizations must invest in AI-enhanced email filtering, implement zero-trust access controls, automate incident response, and regularly train employees — including through simulated phishing tests. Backing up critical data and auditing security configurations for gaps are equally non-negotiable steps.
The 2026 Email Threats Report makes one thing undeniable: email is no longer just a communication tool. It is the primary gateway through which cybercriminals enter, and the sophistication of those attempting entry has never been higher.
