IT Brief Ireland - Technology news for CIOs & IT decision-makers
Ireland
Flux result 2642a026 4970 4daf 9007 a4589ea64d06
#
Cloud Security
#
Phishing
#
Email Security

VIPRE report says attackers shift to trusted services

Thu, 23rd Apr 2026 (Today)
Author image
By Shannon Williams, News Editor

VIPRE has published its Q1 2026 Email Threat Trends Report, based on analysis of 1.8 billion emails processed during the quarter.

The findings point to a continued shift toward widely used online services and recognised internet infrastructure as attackers look for ways around security filters. The report also suggests that, as detection tools improve, established platforms are increasingly replacing newly registered domains.

Spam Patterns

Commercial spam accounted for 46% of all spam in the quarter. These messages were most commonly sent through compromised accounts, which made up 33% of delivery sources, and free email services, which accounted for 32%.

Almost two-thirds of spam originated from infrastructure based in the United States, followed by Ireland and the UK. The US was also the main target for commercial spam at 60%, ahead of the UK at 12% and Canada at 6%.

Phishing represented 25.87% of all spam. Embedded links appeared in 50.59% of phishing emails, while 26.69% included attachments, 19.17% used callback methods and 3.55% used QR code-based phishing.

Microsoft remained the most spoofed brand in phishing campaigns, while .com domains were the main source infrastructure for those attacks. More than 89% of phishing URLs relied on abused links, including open redirects that begin with a legitimate domain before sending users to a malicious destination.

Trusted Services

Newly registered domains declined in prominence during the quarter. VIPRE attributed the shift to more effective domain scanning by security tools, which appears to be pushing attackers toward reputable and familiar web addresses that attract less suspicion.

Cloudflare was identified as one of the services used to mask phishing links. Attackers were using the platform's CAPTCHA and bot-protection systems to stop automated scanners from reaching the final landing pages behind malicious messages.

Callback phishing also remained a notable technique. In those campaigns, Microsoft accounted for 41% of spoofed brands, followed by PayPal at 17% and Geek Squad at 15%.

Other brands used in callback campaigns included McAfee, Amazon, Norton and eBay. These messages were sent from authenticated Microsoft infrastructure and passed SPF, DKIM and DMARC checks.

Attachment Shift

PDF files made up 63% of malicious attachments in the quarter, keeping their position as the most common file format used in email-borne threats. Attackers are increasingly embedding QR codes in PDFs to avoid traditional scanning methods that focus on visible text or direct links.

Image attachments were also used to evade text-based detection, with JPG files accounting for 6% and PNG files 4%. EML files represented 13.15% of cases, suggesting attackers are also attaching whole email messages to imitate internal correspondence and slip past secure email gateways.

For malicious spam, link-based delivery dominated, with 84% of malspam emails using links rather than attachments.

One example highlighted in the report involved misuse of TestFlight, Apple's beta app testing platform. Attackers distributed malware through beta-channel applications and then sent users emails containing TestFlight links, relying on the service's reputation to improve inbox delivery.

BEC Trends

Business email compromise patterns also changed during the quarter. Impersonation of senior executives remained the leading tactic, but its share fell to 54% from 73% a year earlier.

English remained the dominant language in business email compromise attacks, accounting for 88% of messages. Swedish moved into second place ahead of Spanish, which VIPRE said points to growing criminal interest in Nordic markets.

The shift reflects how cyber criminals continue to adapt both their technical methods and their targeting. Rather than relying solely on broad campaigns, the report suggests they are aligning language and impersonation tactics more closely with the organisations and users they want to reach.

"Attackers are boldly using sophisticated techniques to evade detection alongside resorting to emotional triggers to manipulate and breach trust," said Usman Choudhary, General Manager, VIPRE Security Group. "Organisations must strengthen email defenses and rethink how trust is established across every channel to combat these threats. The landscape demands vigilance and a proactive approach to security. There is no room for complacency."

Related stories
MacPaw survey finds green concerns may drive file cleanups
Alteryx launches AI Insights Agent on Google Cloud
Thrive launches Abacode compliance services after deal
Thales launches Imperva for Google Cloud in controlled availability
Anthropic & OpenAI split on cyber AI release strategy

Top stories

Apricorn launches 32TB offline encrypted desktop drive
Temenos report says five trends will reshape banking
Datadog launches GPU Monitoring to curb AI cloud costs
NetApp deepens Google Cloud tie-up with Gemini rollout
Tredence launches agentic AI suite with Google Cloud