Rising AI-Powered Phishing and QR Code Attacks

Last Updated on May 5, 2026 by Arnav Sharma

The numbers from Q1 2026 are hard to ignore. Microsoft Threat Intelligence detected roughly 8.3 billion email-based phishing threats between January and March alone. Cisco reported that phishing has retaken the top spot as the primary initial access vector, responsible for 35% of compromises in Q1 incident response engagements. And KnowBe4’s April 2026 report puts AI involvement in phishing campaigns at 86%.

Something has shifted. Not gradually, but fast.

The AI Acceleration

For most of 2025, AI-generated phishing was a background hum. Hoxhunt’s data across 4 million users showed that fewer than 5% of detected attacks each month were AI-generated. That changed in December 2025, when AI-generated phishing spiked 14x, jumping from about 4% to 56% of detected attacks. That ratio has held into 2026.

The speed advantage alone is staggering. IBM X-Force research found that generative AI can produce a convincing phishing email in about five minutes. A skilled human operator? Roughly sixteen hours for the same quality. That’s a 192x speed improvement. But speed is only half the problem. Hoxhunt found that by March 2025, AI-generated phishing campaigns were already 24% more effective than those built by experienced human red teams.

Think about what that means. The machines aren’t just faster. They’re producing better social engineering than the people who do this for a living.

The Old Playbook Is Dead

If your security awareness training still teaches people to look for broken grammar and misspellings, it’s training for a threat that barely exists anymore.

Traditional phishing relied on volume over quality. Blast a million poorly written emails, hope a few people clicked. The tells were obvious: weird formatting, generic greetings, suspicious attachments. Modern AI-generated lures read like they came from a colleague. They reference real projects, real names, real org structures. They scrape LinkedIn, corporate websites, and public data to tailor messages at scale.

The delivery methods have shifted too. Microsoft’s Q1 data shows 78% of email threats were link-based rather than attachment-based. Credential phishing dominated payloads, growing from 89% of all payload attacks in January to 94% by March. Traditional malware delivery, things like macro-laden Word docs, has dropped to just 5-6% of payloads. The attachment-heavy phishing email is becoming a relic.

QR Codes: The Blind Spot

The sharpest trend in Microsoft’s Q1 report was the explosion of QR code phishing, or “quishing.” Attack volumes jumped from 7.6 million in January to 18.7 million in March, a 146% increase over the quarter.

Here’s why this works so well against defenders: a phishing email with a clickable URL gets scanned by every modern email security gateway. The URL is reputation-checked, sandboxed, sometimes followed in a virtualized browser. A phishing email with a PDF attachment containing a QR code gets none of that. The gateway sees a PDF. The user sees a “scan to verify your account” prompt. The phone, which typically has fewer protections than the corporate inbox, follows the link.

By March, 70% of QR phishing arrived as PDF attachments. QR codes embedded directly in email body HTML grew even faster at 336%, though they still represented only about 5% of total QR volume. Attackers know where the detection gaps are, and they’re parking their payloads there.

I’ve seen this play out firsthand in environments I’ve worked with. A finance team member receives what looks like a DocuSign notification. There’s a QR code in the PDF attachment. They scan it on their personal phone at lunch. The phone has no corporate MDM, no conditional access policies, no endpoint protection. The credential harvesting page loads, they enter their Microsoft 365 credentials, and the attacker has a valid session token before anyone knows something happened.

New Kits, Lower Barriers

Two operations discovered in recent weeks show exactly how AI is being woven into the phishing supply chain.

Bluekit

Varonis Threat Labs pulled apart a phishing-as-a-service kit called Bluekit at the end of April 2026. In the past, a phishing operator had to buy a credential-harvesting page from one seller, a domain rotator from another, and an SMS gateway from a third. Bluekit bundles everything into a single dashboard: domain registration, phishing page creation, campaign management, and real-time victim session monitoring.

It ships with over 40 templates mimicking services like Gmail, Outlook, iCloud, GitHub, ProtonMail, and Ledger. The kit handles Adversary-in-the-Middle (AiTM) techniques to steal session data and bypass MFA. Operators can block VPN traffic, filter headless user agents, and set fingerprint-based checks from the same configuration panel.

What makes Bluekit stand apart is its built-in AI Assistant panel. It supports multiple models, including what appear to be jailbroken variants of Llama, GPT-4.1, Gemini, and DeepSeek. Varonis found the AI outputs were still placeholder-heavy and experimental, more of a campaign skeleton generator than a polished lure factory. But the direction is clear: the tooling is converging. Give it six months.

ATHR

If Bluekit represents the email side, ATHR represents the voice side. Discovered by Abnormal Security in mid-April 2026, ATHR is a voice phishing (vishing) platform that automates the entire telephone-oriented attack delivery chain.

For $4,000 and a 10% commission on stolen funds, a single operator can run a fully automated vishing operation. ATHR sends spoofed security alerts from brands like Google, Microsoft, and Coinbase. Each email contains a phone number instead of a malicious link. When the victim calls back, they’re connected to either a human scammer or an AI voice agent that follows a structured 10-step script: verify the callback, describe suspicious activity on the account, start a fake recovery process, and extract a six-digit verification code.

One operator. Dozens of simultaneous calls. No team of trained callers needed. The economics of voice phishing just changed completely.

CAPTCHA-Gated Phishing and Tycoon2FA

Another trend worth watching: CAPTCHA-gated phishing surged 125% in March, reaching 11.9 million attacks for that month alone. Attackers put a CAPTCHA between the victim and the credential harvesting page. Automated scanners and crawlers can’t get past it, but humans can. It’s a clever inversion, using a human verification check to block security tools rather than bots.

Microsoft and Europol disrupted Tycoon2FA infrastructure in early March, which produced a 15% drop in attacks using that platform. But the effect looks temporary. By late March, Tycoon2FA operators had shifted a large share of their domains to .RU TLD registrations, and they were moving away from Cloudflare hosting to alternative platforms. The disruption displaced the threat rather than removing it.

What Actually Works

So what should security teams and end users be doing right now?

For enterprises:

• Deploy phishing-resistant MFA. Hardware security keys and platform authenticators (FIDO2) are the gold standard. SMS and app-based OTPs are vulnerable to AiTM interception, which is exactly what kits like Bluekit are designed to exploit.
• Enable Zero-hour Auto Purge (ZAP) in Defender for Office 365. It retroactively removes malicious messages that were delivered before threat intelligence caught up.
• Treat QR codes as a distinct threat vector. If your email security gateway can’t parse QR codes embedded in PDF attachments, you have a detection gap. Talk to your vendor about image-based inspection capabilities.
• Run QR-specific phishing simulations. Most awareness programs still focus on link-based phishing. Your people need to practice spotting malicious QR codes in the context they’ll actually encounter them: PDF attachments, physical printouts, Teams messages.
• Tighten conditional access policies for mobile devices. If a device can’t meet your compliance posture, it shouldn’t be able to complete an authentication flow triggered by scanning a QR code.

For individual users:

• Never scan a QR code from an unexpected email or message. If a legitimate service needs you to take action, go to their website directly.
• Check the URL preview before tapping. Both iOS and Android show the destination URL after scanning. If the domain looks wrong, don’t proceed.
• Watch for physical QR code tampering. Stickers placed over legitimate QR codes on parking meters, restaurant menus, and event signage are a real attack vector.
• Verify unusual requests through a separate channel. If you get a call from “Google Support” or “Microsoft Security,” hang up and contact the service directly through their official website.