[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEhB-v5KLXJkIY1FigpPFb6pAXaHFZ3GBv0dUIKoF128":3},{"article":4,"iocs":48},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":27,"category":28,"article_tags":32},"7e764666-fdb4-42a7-a899-4f11a1b3be2c","Email threat landscape: Q1 2026 trends and insights","email-threat-landscape-q1-2026-trends-and-insights-9a103c","In early 2026, email threats increased with a rise in credential phishing, QR code phishing, and CAPTCHA-gated campaigns, highlighted by Microsoft’s disruption of the Tycoon2FA phishing platform which led to a 15% volume decrease and shifts in threat actor tactics. The post Email threat landscape: Q1 2026 trends and insights appeared first on Microsoft Security Blog.","Q1 2026 saw increased email threats including credential phishing, QR code phishing, and CAPTCHA-gated campaigns. Microsoft disrupted the Tycoon2FA phishing platform, resulting in a 15% volume decrease and forcing threat actors to shift tactics. Separately, Microsoft DART identified Storm-2755, a financially motivated threat actor compromising Canadian employee accounts to divert salary payments to attacker-controlled accounts.","Microsoft disrupts Tycoon2FA phishing platform; Storm-2755 targets Canadian payroll in Q1 2026.","April 9 12 min read Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor, tracked as Storm-2755, compromising Canadian employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts.","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F04\u002F30\u002Femail-threat-landscape-q1-2026-trends-and-insights\u002F","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002Fwp-content\u002Fuploads\u002F2026\u002F04\u002FQ1-email-threats-featured-image.png","2026-04-30T15:00:00+00:00","2026-04-30T16:00:22.859299+00:00",8,[18,21,24],{"name":19,"type":20},"Storm-2755","threat_actor",{"name":22,"type":23},"Microsoft","vendor",{"name":25,"type":26},"QR code phishing","technology","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":27,"icon":29,"name":30,"slug":31},null,"Threat Intelligence","threat-intelligence",[33,38,43],{"category":34},{"id":35,"icon":29,"name":36,"slug":37},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":39},{"id":40,"icon":29,"name":41,"slug":42},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":44},{"id":45,"icon":29,"name":46,"slug":47},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",[49],{"type":47,"value":50,"context":51},"Tycoon2FA","Phishing platform disrupted by Microsoft; associated with credential theft campaigns"]