Phishing attacks are increasingly abusing trusted services to evade security filters, according to VIPRE’s Email Threat Trends Report for Q1 2026. The two primary methods of delivery were compromised accounts at 33% and free email services 32%. Additionally, just under 90% of attacks abused open redirects to mask phishing links.
“The trust lever was pulled in nearly all link-based phishing cases: abused URLs accounted for over 89% of phishing URLs,” VIPRE says. “Attackers favor ‘open redirects’ that begin with the legitimate domain and then end with a parameter routing to a malicious site.”
Additionally, threat actors are increasingly abusing CAPTCHA services to block security scanners from accessing phishing sites.
“Many attackers are using Cloudflare to hide their phishing URLs,” the researchers note. “The platform's bot protection features (CAPTCHA) block security scanners from reaching the malicious destination landing page. This results not only in more phishing emails reaching users, but also in more phishing emails of higher, more trusted quality.”
The researchers also observed a surge in callback phishing attacks, where victims are tricked into calling the scammer in order to solve a fabricated problem.
“In Q1, Microsoft accounted for 41% of all spoofed brands in callback campaigns, followed by PayPal (17%) and Geek Squad (15%),” the researchers write. “Runners-up were McAfee, Amazon, Norton, and eBay. To allay suspicion, these were increasingly sent from authenticated Microsoft infrastructure, all passing SPF, DKIM, and DMARC checks. With these phishing messages passing technical muster, the only options are for users to get more savvy, underscoring the necessity of security awareness training, and for security teams to up their game.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 Platform to strengthen their security culture and reduce human risk.
VIPRE has the story: VIPRE’s Email Threat Trends Report: Q1 2026
