Frontline security predictions 2026: The phishing techniques to prepare for

Anticipating AI-driven threats and how tactics will evolve in the year ahead

Takeaways

• Phishing kits are rapidly evolving, now capable of launching millions of attacks and continually increasing in sophistication and evasiveness.
• For 2026, it is predicted that next-generation phishing kits will use advanced tools to build detailed social profiles of targets, circumvent multifactor authentication, and employ AI for more targeted and personalized attacks.
• The PhaaS business model is likely to shift toward structured subscription tiers, ranging from basic kits to highly sophisticated AI-driven campaigns.
• By the end of 2026, over 90% of credential compromise attacks are expected to be enabled by phishing kits, accounting for more than 60% of all phishing incidents.

In 2025, the phishing landscape was powered by the combined forces of AI, evolving Phishing-as-a-Service (PhaaS) kits and increasingly sophisticated delivery and evasion techniques. In this article, Barracuda’s threat analysts look ahead to what the coming year might bring for this enduring and ever-advancing threat.

How phishing evolved in 2025

A year ago, the team predicted that PhaaS kits would account for half of all credential theft attacks by the end of 2025, up from around 30% in 2024. The actual proportion turned out to be slightly more than half.

More significantly, the number of phishing kits doubled during 2025. Each kit is powerful enough to launch millions of attacks. These kits are constantly evolving, becoming more sophisticated and evasive over time. The team reported regularly on some of the most prevalent phishing kits throughout the year.

Based on these developments and more, the threat analysis team has drawn up a series of predictions for how the landscape might evolve over the next 12 months to help security teams understand and prepare for what lies ahead.  

What’s coming in 2026

Phishing kits 2.0

Both established and emerging phishing kits will use tools to build detailed social profiles of targets. They’ll deploy automated tactics to get around security measures like multifactor authentication (MFA) by stealing access tokens or relaying authentication via the legitimate website to break through protections. They will make greater use of AI to develop their kits and make attacks more personalized and effective.

• The business model for next-generation PhaaS kits will feature structured subscription tiers, ranging from basic phishing kits to highly targeted and sophisticated AI-personalized campaigns.
• By the end of 2026, we anticipate that over 90% of credential compromise attacks will be attributed to the use of phishing kits, representing more than 60% of all phishing attacks.

Dynamic evasion techniques and tailored payloads

Attackers will shift from static tactics to dynamic, context-aware approaches with payloads that are tailored based on device, user activity or timing to evade automated detection.

Advanced evasion and anti-detection techniques that are expected to increase in volume include:

• Hiding malicious code in harmless image and audio files (steganography).
• ‘ClickFix’ social engineering techniques where a user is tricked into manually executing a malicious command that has been secretly copied to their clipboard.
• More split and nested QR codes in attacks and the introduction of dynamic and multi-stage QR codes.
• Widespread abuse of OAuth (Open Authorization) — a widely-used system for signing in to apps or services without sharing a password.
• Highly advanced URL evasion techniques, including the use of ephemeral Blob URIs. Blob URIs are a type of web address used to store data locally in memory, and attackers like them because they don’t load from external servers and can host phishing pages in the victim’s browser, making them hard to detect using traditional measures.
• Dynamic code injection and fully disguised malicious scripts.

AI-based auto-adaptive campaigns

• Attackers will use generative AI to craft individualized messages at scale and to auto-adapt campaigns quickly.
• These AI-powered attacks will move at speed and feature improved encryption, deeper layers of obfuscation and adaptive payloads.
• Attackers are also expected to ramp up their efforts to exploit AI itself using prompt-injection techniques and targeting AI agents, with the aim of manipulating or compromising AI-enabled security tools.

MFA code theft and deception

• There will be an increase in MFA code theft via phishing, using tactics such as push approval fatigue and relay attacks.
• Social engineering will target MFA recovery flows, such as password reset codes or other account recovery options.
• Attackers will also use social engineering for MFA downgrade attacks, trying to bypass strong phishing-resistant authentication by forcing or tricking the user into selecting an alternative authentication method that is easier to get round.

More attacks will abuse CAPTCHA

• Advanced phishing campaigns are increasingly using CAPTCHA to trick victims into feeling safe and to conceal the attackers’ true intent. The team expects that by the end of 2026, more than 85% of phishing attacks will use CAPTCHA to evade automated security tools and ensure interactions are performed by a human.
• Attackers are also moving away from legitimate, trusted CAPTCHA to fake alternatives, and we expect that to increase during 2026.

More polymorphic tactics

• A polymorphic attack is one that continuously changes its content, payloads, delivery patterns or technical fingerprints so that each instance looks different — making automated detection and signature-based defenses ineffective.
• Popular techniques that are expected to increase in use — especially among phishing kits — include using random alphanumeric strings in the email body or subject, obfuscating the sender address or employing long headers that include timestamps or recipient names in the subject, using slightly different links in each email, and varying attachment names.

Further exploitation of legitimate platforms

• In 2025, around 10% of phishing attacks exploited legitimate platforms, consistent with 2024. The team expects the proportion to remain static during 2026.  
• Attackers will increasingly exploit AI-powered zero-code platforms to rapidly build and host phishing sites. These tools eliminate technical barriers, enabling threat actors to launch sophisticated campaigns at scale with minimal effort.

Targeting URL-protection services and URL masking

• The exploitation of URL‑protection services and URL-masking tactics such as the abuse of open redirects, marketing/tracking links and legitimate URLs is on the rise, and in 2025 this was seen in around 25% of phishing attacks. We anticipate this upward trend to continue.

More advanced malware-based threats

• Malware attacks are expected to become more sophisticated, with a rise in fileless malware, which hides in the device’s memory, and polymorphic payloads that can evade traditional signature-based defenses.
• Malware-as-a-Service will evolve and thrive.

Alongside the new and evolving techniques detailed above, the team expects traditional and enduring approaches such as HR and payroll-related scams, delivery and logistics scams, fake MFA notifications, tax and government service scams, and file-sharing scams to continue.

Protection against evolving techniques

Phishing threats advanced significantly during 2025, becoming more prolific, complex and evasive. These trends will continue through 2026 and beyond. Email security should be a critical component of a robust, cyber-resilient security strategy.

Few organizations escape the impact of a phishing or social engineering attack. Our latest market research shows that 78% of organizations suffered an email security breach in the previous 12 months. The longer it took the victim to detect and contain the threat, the deeper the damage.

Traditional approaches are no longer enough to keep advanced phishing at bay. Organizations need an AI-powered integrated security platform such as BarracudaONE, with 24/7 oversight and a strong security culture.