A single-month scan of 3.1 billion emails. One in three messages flagged as malicious or unwanted spam. Nearly half of all malicious activity originating from phishing. These are the headline numbers from Barracuda’s 2026 Email Threats Report, published May 12, and they paint a threat landscape that has fundamentally changed over the past three years.
What is driving the surge is not just volume. It is industrialization. Phishing-as-a-Service (PhaaS) platforms now power 90% of high-volume phishing campaigns, supplying attackers with ready-made credential-harvesting kits, rotating domains, pre-built evasion logic, and even customer support. The barrier to launching a sophisticated, multi-step phishing operation has collapsed.
What PhaaS Changes About the Email Threat
Traditional phishing required time, technical skill, and infrastructure. An attacker had to register a lookalike domain, configure mail servers, write convincing copy, and somehow get past spam filters. PhaaS kits do most of that work on demand.
The result, according to Barracuda’s data, is a dramatic shift in attack composition. Attackers are moving away from file-based malware toward URLs, QR codes, and HTML, delivery mechanisms that are harder for legacy filters to catch and easier to refresh when one variant gets blocked. More than 10% of HTML attachments analyzed were malicious. And 70% of malicious PDFs now contain embedded QR codes that redirect victims to phishing pages outside the reach of standard link scanners.
Account takeover is the downstream consequence. 34% of organizations in the study experienced at least one account takeover incident every month. When a phished credential lands an attacker inside a corporate inbox, they do not need to spoof the domain anymore. They own it.
The Microsoft SPF Case Study: When Authentication Passes But Should Not
Barracuda’s report arrived alongside a vivid illustration of how trust-based attack surfaces work. In mid-May, researchers and journalists discovered that scammers were using an internal Microsoft email address, [email protected], to send phishing spam at scale.
The emails passed SPF and DMARC checks because of a subtle flaw in Microsoft’s own SPF configuration. The record includes spf.protection.outlook.com, which effectively authorizes any Outlook.com user to send mail that authenticates as microsoftonline.com. Scammers simply created new Microsoft accounts and used that access to send messages that looked, to every authentication system, like official Microsoft security alerts.
The lesson is sharp: DMARC enforcement is essential, but the SPF records it depends on must be audited with equal care. An overly permissive SPF record is not a configuration detail. It is an open door.
What DMARC Stops and Where the Gaps Still Live
DMARC at enforcement (p=quarantine or p=reject) remains the most effective single control for stopping domain spoofing. When an attacker tries to impersonate your domain without authorization, a strict DMARC policy means that email never reaches the inbox.
PhaaS kits know this. That is why they rely increasingly on lookalike domains, typosquats, and homograph variants that are visually close to your domain but technically distinct. DMARC does not protect against a domain you do not own. That is the gap PhaaS exploits.
The full picture of what organizations need:
- DMARC at p=reject: The non-negotiable baseline. It stops direct spoofing of your domain.
- SPF record hygiene: Audit every
include:in your SPF chain. Overly broad includes can authorize senders you never intended. - DKIM alignment: DKIM signatures survive forwarding in ways SPF cannot. Proper DKIM alignment gives your DMARC policy a stable authentication anchor.
- Lookalike domain monitoring: Flag newly registered domains that resemble yours before attackers weaponize them.
- Engagement monitoring: 34% of monthly account takeovers mean attackers are operating inside legitimate inboxes. Authentication cannot detect that. Behavioral signals can.
Three Steps to Tighten Up Now
Given what Barracuda’s data reveals, three actions are urgent for any organization with email-sending domains:
1. Move to enforcement. If your DMARC policy is still p=none, you are collecting data but providing zero protection. Start with p=quarantine and build toward p=reject as you identify and authorize every legitimate sender.
2. Audit your SPF. Run a full SPF flattening analysis. Look for overly permissive includes, especially shared infrastructure like protection.outlook.com, _spf.google.com, or third-party ESP records that authorize broad IP ranges. What you include in your SPF is what DMARC will treat as authorized.
3. Map every sending source. The most common reason organizations stall at p=none is undiscovered senders: marketing platforms, CRMs, transactional email services, and SaaS tools that send on behalf of your domain without proper alignment. A complete sender inventory, updated continuously, is the prerequisite for safe enforcement.
The Scale of the Problem Demands a Systematic Response
One in three emails being malicious or spam is not a problem that individual vigilance solves. Security awareness training helps at the margin. SPF, DKIM, and DMARC enforced together, with continuous monitoring and a complete sender inventory, address the structural vulnerability that PhaaS now exploits at scale.
The industrialization of phishing means defenders need to match that scale with systematic controls. DMARC enforcement, properly maintained, is the infrastructure layer that makes the economics of email-based attacks unfavorable for attackers.
Ready to take your DMARC from monitoring to full enforcement? Start your free account at Excello →