AI fuels rise in phishing attacks, Barracuda finds

Barracuda has published research showing a rise in email attacks driven by artificial intelligence and phishing-as-a-service tools. The findings are based on an analysis of more than 3.1 billion emails.

Its threat intelligence unit examined global telemetry gathered in January 2026 and found that one in three email messages was malicious, spam or otherwise unwanted. Phishing accounted for 48% of malicious email activity, making it the largest single category identified in the research.

The report points to a change in how attackers deliver harmful content. Rather than relying only on traditional file-based attachments, many campaigns now use links, QR codes and compromised accounts to reach targets and evade established email filters.

HTML attachments remain a notable source of risk, with more than 10% classed as malicious in the dataset. Barracuda also found that 70% of malicious PDF files contained QR codes directing users to phishing websites, reflecting a broader shift towards lures embedded in document formats that recipients may view as routine.

Another trend is the growing use of packaged phishing services. The research found that 90% of high-volume phishing campaigns used phishing-as-a-service kits, which lower the barrier to entry for cyber criminals by offering ready-made tools to run attacks at scale.

That industrialisation of phishing appears to be feeding into account compromise. Barracuda reported that 34% of companies experience at least one account takeover incident each month, suggesting email attacks are no longer limited to inbox disruption but increasingly lead to unauthorised access to internal systems and trusted communications.

Shifting tactics

The figures suggest attackers are focusing more on methods that exploit user trust rather than technical vulnerabilities alone. QR-code phishing, sometimes referred to as quishing, has gained traction because it can move a victim from a desktop email environment to a mobile device, where security checks and user scrutiny may be weaker.

Compromised email accounts add another layer to the problem. Messages sent from a genuine corporate inbox can appear more credible to colleagues, suppliers or customers and can be used to request credentials, redirect payments or distribute links to malicious sites.

Artificial intelligence is also shaping the social engineering side of these campaigns. The research links AI-driven techniques to higher volume and greater effectiveness in email attacks, suggesting threat actors are using automated tools to generate more convincing messages and tailor them to particular recipients at scale.

For businesses, the findings underline the extent to which email remains a central attack route. Despite years of investment in filtering and endpoint security, the inbox continues to be used for credential theft, malware delivery and account compromise because it combines technical access with direct human interaction.

Business exposure

The implications extend beyond cybersecurity teams. Account takeover incidents can disrupt finance functions, procurement processes and customer communications, especially when attackers gain access to trusted internal threads or supplier relationships.

Large-scale phishing operations can also be run cheaply and repeatedly. The spread of phishing-as-a-service means criminals no longer need to build their own infrastructure from scratch, allowing less sophisticated actors to launch campaigns that resemble those of more established groups.

The shift mirrors a wider trend across cyber crime, where tools are increasingly sold as services. In the email market, the result is a greater number of campaigns and a wider pool of attackers able to test and refine tactics against businesses of different sizes.

Barracuda framed the issue as one of operational resilience as much as threat detection. It said the rise of AI-assisted phishing and stealthier delivery methods shows why organisations need layered security that combines prevention, detection and response across email and identity systems.

Merium Khalid, Director of SOC Offensive Security in the Office of the CTO at Barracuda, commented on the findings.

"Email is no longer just a communication channel - it's the front line of identity, trust and business continuity. As attackers industrialise phishing with AI and phishing‐as‐a‐service, the future of defense must evolve just as quickly. Organisations that stay ahead will prioritise integrated email security layered with identity protection and automated response as part of a broader, resilience-driven strategy. When prevention, rapid detection and automated incident response work together, businesses can reduce risk, limit the impact of account compromise and maintain continuity even as threats accelerate," Khalid said.