Microsoft tracked 8.3 billion email-based phishing threats in Q1 2026 as CAPTCHA-gated attacks more than doubled in March, hitting 11.9 million.
Cybercriminals are sharpening their credential theft operations by layering fake CAPTCHA pages with ClickFix manipulation techniques, driving phishing volumes to staggering new heights. Microsoft Threat Intelligence tracked approximately 8.3 billion email-based threats between January and March 2026, with credential phishing remaining the primary objective throughout the quarter. CAPTCHA-gated phishing alone more than doubled in March, reaching 11.9 million attacks, the highest volume seen in over a year.
Threat actors are rapidly rotating delivery formats to stay ahead of email filters, switching from HTML to SVG attachments, then PDFs, then Word documents within weeks. By the end of the quarter, PDF attachments emerged as the dominant carrier for CAPTCHA-gated phishing, growing by a staggering 356% in March. In the ClickFix variant, a fake CAPTCHA prompt tricks users into copying and executing a malicious command on their own device, bypassing traditional malware delivery entirely since the victim unknowingly runs the attacker’s code themselves.
The Tycoon2FA phishing-as-a-service platform (Storm-1747) hosted over three-quarters of all CAPTCHA-gated phishing sites at the end of 2025, though that share dropped to 41% by March 2026 as more threat actors adopted the same techniques. A notable three-day campaign between February 23-25 delivered over 1.2 million phishing messages to more than 53,000 organizations across 23 countries, using SVG attachments disguised as invoices, payment alerts, and voice message notifications.
This rapid evolution signals that attackers are running near real-time experiments against email security systems, and the combination of social engineering with automation-resistant CAPTCHA pages poses a growing challenge for defenders. Organizations should reinforce user awareness training around ClickFix-style attacks and ensure email security gateways are configured to inspect increasingly diverse attachment formats.
Source: Cyber Security News — Attackers Abuse CAPTCHA and ClickFix Tactics to Boost Credential Theft
