Delivery Technique
Microsoft's first-quarter email threat review describes a landscape led by link-based phishing, with QR code delivery growing quickly and CAPTCHA-gated flows continuing to evolve. That mix pushes defenders beyond attachment scanning and into destination analysis.
Defensive Gaps
QR lures and CAPTCHA pages create visibility gaps because the dangerous action may happen after the email gateway has finished inspection. Mobile devices, personal browsers, and authentication prompts can sit outside the telemetry defenders rely on during triage.
Control Design
Security teams should split detections by user journey. Link rewriting and detonation help with direct URLs. QR campaigns need image-aware inspection and user-report workflows that preserve screenshots. CAPTCHA-gated flows need browser, proxy, and identity context after the click.
Rollout Risks
Awareness teams should avoid reducing the quarter's lesson to "watch for QR codes." Attackers can switch delivery shapes quickly. The durable habit is verifying the destination, reporting suspicious authentication prompts, and slowing down payment or approval pressure.
Recommended Controls
For BEC, tune controls around business process rather than message content alone: approval thresholds, vendor change verification, mailbox rule monitoring, and anomaly detection for reply-chain or payment-language patterns. For credential theft, prioritize phishing-resistant authentication and session risk signals.