What Microsoft’s latest email threat data says about QR codes, fake CAPTCHAs, and Microsoft 365 risk

---

Cincinnati businesses have spent years training employees not to click suspicious links.

That advice still matters. But it no longer covers the full problem.

Microsoft’s latest email threat data shows attackers are shifting the risky part of phishing somewhere else: QR codes, fake CAPTCHA pages, PDFs, and Microsoft 365 login screens. In the first quarter of 2026, Microsoft detected approximately 8.3 billion email-based phishing threats, with 78% of email threats classified as link-based. Microsoft also reported that QR code phishing was the fastest-growing attack vector during the quarter.

That creates a real blind spot for businesses.

Your team may know not to click a suspicious link. But do they know what to do when an email asks them to scan a QR code with their phone? Or complete a CAPTCHA before opening a document? Or sign in to what looks like a normal Microsoft 365 page?

That is where phishing is getting harder to catch.

---

Phishing Has Moved Beyond the Obvious Bad Email

For years, phishing training focused on things people could spot inside the email itself.

• Bad grammar.
• Strange sender names.
• Suspicious links.
• Unexpected attachments.
• Urgent requests.

Those warning signs still matter. But modern phishing often looks more polished, more familiar, and more connected to everyday business workflows.

An employee may receive what appears to be a normal invoice, payment notice, secure message, document request, voicemail alert, or benefits update. The email may not contain an obvious malicious link. Instead, it may include a PDF with a QR code. Or it may send the employee to a fake verification page that looks like a routine security check.

The email is just the starting point. The real risk happens after the employee leaves the inbox.

That matters because many Cincinnati and Northern Kentucky businesses rely on the same few systems to run the business: Microsoft 365, email, shared documents, vendor portals, accounting systems, payroll tools, and cloud-based line-of-business applications.

If attackers can get into those systems with a real employee’s credentials, the attack can start to look like normal business activity.

---

QR Codes Are Becoming a Bigger Phishing Problem

QR codes are everywhere now. They’re used by many:

• Restaurants
• Events
• Invoices
• Delivery notices
• Internal teams
• Marketing teams

That familiarity is part of the problem.

Microsoft reported that QR code phishing increased from 7.6 million attacks in January 2026 to 18.7 million in March 2026, a 146% increase over the quarter. Microsoft also noted that attackers use QR codes to redirect people to phishing sites on unmanaged mobile devices, where company protections may be weaker.

That last part is the business risk.

If an employee scans a QR code on their phone, the attack may bypass the company’s normal layers of protection. The email may have been received on a work computer, but the login attempt may happen on a personal mobile device.

That creates a gap between what the company can see and what the employee is actually doing.

For a business leader, the question is not, “Should we ban QR codes?”

The better question is:

Do our employees know that a QR code can be a phishing link?

Because many people still treat QR codes as harmless shortcuts. Attackers are counting on that.

---

A Fake CAPTCHA Makes Phishing Feel Safer Than It Is

CAPTCHAs are supposed to make people feel like a website is checking for security.

Attackers are using that expectation against people.

Microsoft reported that CAPTCHA-gated phishing volumes more than doubled in March 2026, reaching 11.9 million attacks, the highest volume Microsoft had observed over the previous year. Microsoft explained that threat actors use CAPTCHA pages as visual decoys to delay detection, increase user interaction, and make malicious pages appear more legitimate.

That is a subtle but important shift.

To an employee moving quickly, a CAPTCHA can make a page feel more trustworthy. It looks like a normal step before opening a document, reviewing an invoice, listening to a voicemail, or signing into Microsoft 365.

But in some attacks, the CAPTCHA is not protecting the employee; rather, it is helping the attacker.

That means “look for anything suspicious” is becoming harder advice to follow. Some of the suspicious parts are designed to look like normal security steps.

---

The Real Target Is Often Microsoft 365

For many small and mid-sized businesses, Microsoft 365 is where work happens.

• Email
• Calendars
• Files
• Teams
• SharePoint
• Vendor conversations
• Client communication
• Internal approvals
• Invoice questions
• Password resets

That’s what makes Microsoft 365 access the most valuable.

Microsoft’s report noted that credential phishing remained the dominant objective behind malicious payloads throughout Q1 2026. It also described adversary-in-the-middle phishing platforms that attempt to defeat non-phishing-resistant multifactor authentication defenses.

*That does not mean MFA is useless. MFA is still important and should be used.

But it does mean businesses need to understand that MFA alone is not a complete strategy. Some phishing attacks are designed to capture credentials, sessions, or approval behavior in ways that can still put accounts at risk.

And once an attacker gains access to a real account, the problem changes. It is no longer just a bad email.

It may become:

• A real employee account sending messages
• A hidden forwarding rule
• A vendor conversation being monitored
• A payment request that looks familiar
• A file-sharing link from a trusted user
• An internal approval that feels routine
• A customer or vendor receiving emails from a legitimate mailbox

That is why Microsoft 365 security is not just an IT configuration issue. It is a business risk issue.

---

Business Email Compromise Starts Quietly

One of the most dangerous parts of phishing is that the first message may not look dangerous at all.

Microsoft reported approximately 10.7 million business email compromise attacks in Q1 2026. The report also found that many initial BEC messages were low-effort, generic outreach messages. Microsoft noted that generic messages, such as “Are you at your desk?”, accounted for 82% to 84% of initial contact emails each month during the quarter.

That should get every business leader’s attention.

The first email may not ask for money, include an invoice, wire instructions, or an attachment.

It may simply test whether someone will respond. The financial request comes later.

That is why businesses cannot rely solely on employees to spot obvious scams. The better defense is a process that makes fraud harder to complete.

For example:

• Payment changes should require verification outside the email thread
• Vendor banking changes should not be approved based on a reply email alone
• Gift card requests should be treated as suspicious by default
• Payroll updates should require a documented process
• Urgent executive requests should still follow normal approval steps

Attackers do not need your team to be careless. They need your team to be busy, helpful, and willing to move quickly.

That describes most businesses.

---

Why This Matters Locally

This is not just a national enterprise cybersecurity issue.

Cincinnati and Northern Kentucky businesses use the same cloud platforms, email systems, vendor portals, payroll tools, and mobile devices as everyone else. A local manufacturer, dental office, property management company, CPA firm, or professional services business may not look like a major target, but attackers do not always choose targets manually.

Many phishing attacks are built to scale.

They go after common platforms, common workflows, and common human behaviors.

A recent local example shows how quickly national platform risk can become a Tri-State concern. In May 2026, Canvas was affected by a cyberattack involving data from schools nationwide. The report noted that Tri-State school districts use the software, and Northern Kentucky University said it was monitoring the situation with Canvas. The report confirmed stolen data included names, student ID numbers, email addresses, course enrollments, and private messages between students and faculty.

That incident is not the same as a Microsoft 365 phishing attack.

But it points to the same bigger issue: local organizations are connected to national platforms, vendors, and cloud systems. When those systems are attacked, the risk does not remain elsewhere.

It can show up in your inbox as a:

• Fake notification
• Password reset
• Vendor update
• Billing question
• Support message
• Document request

After a breach or platform incident, people are more likely to believe related messages because the event itself is real. That is exactly when businesses need employees to slow down and verify.

---

The Old Phishing Playbook Has Gaps

A lot of phishing training still teaches people to look for obvious red flags — which is useful, but incomplete.

The modern phishing playbook is more slippery. It may use familiar tools, brands, login pages, document formats, and workflows.

The old playbook says: “Don’t click suspicious links.”

→ The updated playbook needs to say: “Be careful when an email pushes you into another action.”

That action may be:

• Scanning a QR code
• Opening a PDF
• Completing a CAPTCHA
• Signing into Microsoft 365
• Approving a payment
• Changing vendor banking information
• Sharing a file
• Resetting a password
• Replying to a vague executive message
• Moving a conversation from email to text

This does not mean every QR code, CAPTCHA, or Microsoft login is dangerous.

It means employees need more context for how phishing actually works now.

---

What Cincinnati Businesses Should Do Next

The answer is not to scare employees or make every process painful.

The answer is to close the gap between how your business works and how attackers are trying to exploit that work.

1. Review Microsoft 365 Security Settings

Microsoft 365 can be secure, but it is not automatically secure just because it is Microsoft.

Configuration matters.

Businesses should review whether protections such as Safe Links, Safe Attachments, phishing simulations, post-delivery email removal, and risky sign-in monitoring are properly configured. Microsoft’s report specifically recommends reviewing Exchange Online Protection and Microsoft Defender for Office 365 settings, enabling Safe Links and Safe Attachments, using phishing simulations, and investigating malicious email that may have reached inboxes.

At a minimum, ask:

• Are risky sign-ins being reviewed?
• Are suspicious mailbox rules monitored?
• Are forwarding rules checked?
• Are malicious links rewritten or blocked?
• Are suspicious attachments scanned?
• Can phishing emails be removed after delivery?
• Are compromised accounts investigated quickly?

If nobody owns those questions, that is a problem.

2. Update Employee Training Around QR Codes and CAPTCHAs

Employees should know that phishing does not always look like a bad link anymore.

Training should include examples of:

• QR code phishing
• Fake CAPTCHA pages
• Fake Microsoft 365 login screens
• PDF-based phishing
• Business email compromise messages
• Vendor payment change scams
• MFA fatigue or suspicious login approvals

The goal is not to turn employees into cybersecurity experts— it is to make them pause before taking the next action.

A short pause can prevent a much bigger mess.

3. Make Reporting Easy

Many employees hesitate to report suspicious activity because they are embarrassed or unsure if it matters.

That hesitation helps attackers.

Employees should know exactly what to do if they:

• Clicked a suspicious link
• Scanned a questionable QR code
• Entered their Microsoft 365 password somewhere unusual
• Approved an unexpected MFA prompt
• Opened a suspicious attachment
• Replied to a strange request
• Received a vendor payment change email

Make the process simple. Make it judgment-free. Make it fast.

The sooner IT knows, the better the business’s chance of containing the issue.

4. Strengthen Financial Approval Processes

Business email compromise works because it blends into normal business communication.

That means your process matters as much as your spam filter.

Payment changes, wire transfers, payroll changes, vendor banking updates, gift card requests, and requests for sensitive documents should require verification outside the original email thread.

Not a reply. Not a forwarded message. Not “the email looked legitimate.”

• Use a known phone number.
• Use a separate approval workflow.
• Use a documented process.

If the request involves money or sensitive data, convenience should not be the only control.

5. Monitor for Account Takeover Behavior

The original phishing email is not always the biggest clue.

If an attacker gains access to a real account, signs may appear in the mailbox or in the Microsoft 365 environment.

Watch for:

• New inbox rules
• Suspicious forwarding
• Unusual login locations
• Impossible travel alerts
• Deleted sent items
• Unexpected OAuth app permissions
• Password reset activity
• Messages sent outside normal working hours
• Customer or vendor complaints about strange emails
• Employees receiving replies to emails they do not remember sending

This is where businesses often discover the problem too late. The attacker was not breaking down the door.

They were already inside the account.

6. Include Vendors and Cloud Platforms in the Conversation

Your business probably depends on more third-party systems than you realize.

Payroll.
Accounting.
Cloud storage.
Industry software.
Document signing.
Payment processing.
HR platforms.
Vendor portals.
Insurance platforms.
Remote access tools.

→ If one of those platforms is breached, impersonated, or used as bait in a phishing campaign, would your team know how to respond?

That question belongs in your cybersecurity planning.

Not because every vendor incident becomes your incident.

But because attackers often use real events to make fake messages more believable.

---

Questions to Ask Your IT Provider

You do not need to become a cybersecurity analyst to lead your business well.

But you should be able to ask better questions.

Start here:

• Are QR-code phishing attempts being detected or filtered?
• Are fake CAPTCHA phishing examples included in our employee training?
• Are Safe Links and Safe Attachments configured in Microsoft 365?
• Are risky Microsoft 365 sign-ins reviewed?
• Are suspicious mailbox rules and forwarding settings monitored?
• Do we have a process for suspected account takeover?
• What should an employee do if they scan a suspicious QR code?
• How quickly can we remove a phishing email after it reaches inboxes?
• Do payment changes require verification outside of email?
• Are vendor and cloud platform risks part of our security planning?

If the answer to most of those questions is “I’m not sure,” that is the blind spot.

---

Final Thought for Executive Leaders

Phishing did not stop being an email problem. Instead, it expanded into a business workflow problem.

The email may still be the starting point. But from there, the real risk can move somewhere else: to a phone, inside a PDF, behind a fake CAPTCHA, on a Microsoft 365 login page, or into a vendor conversation that looks completely normal.

So for Cincinnati and Northern Kentucky businesses, the takeaway is not panic. But rather, it is visibility.

Because if attackers are trying to log in instead of breaking in, your business needs to understand what normal access looks like — and just as importantly, what it looks like when normal is being used against you.

---

Related Resources:

• Email Threat Landscape: Q1 2026 Trends and Insights
• 2026 Data Breach Investigations Report
• Hackers Aren’t Breaking In Anymore—They’re Logging In
• Cyberattacks in Cincinnati — and the Security Gaps They Exposed
• How Cincinnati SMBs Can Use AI Safely—and Actually See ROI
• RAM Price Surge and What It Means for Cincinnati IT Budgets
• Penetration Testing Services for Compliance, Regulation, and Cyber Insurance