Microsoft is sounding a high-level alarm in its latest security bulletin regarding a new wave of email scams where the bait is no longer just the typical suspicious link. Now, as revealed by Microsoft, attackers are using QR codes within PDF files, fake login pages, and fraudulent captchas as a new method to steal passwords.
According to Microsoft Threat Intelligence, approximately 8.3 billion threats of this type were detected via email between January and March 2026 alone, and the figure appears to be steadily rising, indicating that these phishing problems are spreading rapidly.
Microsoft Warns of Large-Scale Scams Using QR Codes in PDFs and Other Methods
The key is that these scams aim to appear legitimate. An email containing an invoice, a pending document, a payment notification, or a business notice might include an apparently harmless PDF. Inside, there’s a QR code that encourages the victim to scan it with their mobile phone. This action takes the victim out of the protected environment of their company computer and leads them to a fake page designed to steal their credentials.
The significant data point is the growth of these practices. Microsoft indicates that attacks and scams involving QR codes surged from 7.6 million in January to 18.7 million in March. This represents a 146% increase during the first quarter of 2026. Furthermore, March marked the highest monthly volume of these types of attacks in at least a year.
According to Microsoft itself, PDFs were the preferred format for hiding these QR codes. The report reveals that in January, PDFs accounted for 65% of QR code attacks, and by March, this figure rose to 70%. DOC and DOCX documents also appeared in these campaigns, although their share decreased from 31% to 24%. Microsoft also detected a more direct method: QR codes embedded directly in the body of the email, without an attachment. This method grew by 336% in March, although it still represented only 5% of the total. However, it is gaining significant traction very quickly, suggesting it is effective.
Even Captchas Aren’t Safe; Extreme Caution is Needed for All These Tactics
The other component of this wave involves fake captchas. Microsoft explains that attackers use them to create an appearance of legitimate verification, force user interaction, and complicate automated analysis by security tools. In March, captcha scams grew by 125% and reached 11.9 million attacks, the highest level observed in the past year.
The primary objective remains, evidently, stealing accounts. Microsoft indicates that credential theft represented 89% of attacks with malicious payloads in January, 95% in February, and 94% in March. Traditional malware lagged far behind, with only 5% or 6% by the end of the quarter.
Tycoon2FA also appears, a phishing-as-a-service platform active since August 2023. Microsoft links it to the Storm-1747 group and explains that it sold kits capable of mimicking business login pages and using techniques to bypass non-phishing-resistant two-factor authentication systems. Therefore, even 2FA is currently under threat.
Microsoft, Europol, and industry partners took action against Tycoon2FA in March. Following that operation, the associated volume dropped by 15% for the remainder of the month, although the activity did not cease.
Nevertheless, attackers adapted by moving domains, changing providers, and seeking new ways to keep their campaigns active. Fake emails continue to be the perennial problem for companies like Microsoft, Google, or Apple, but they now come disguised as PDFs, QR codes, and security checks. Be extremely cautious about what you open or scan; prevention is better than cure.
