- Trusted email platforms are now the easiest entry point for attackers
- Spam is no longer noise; it actively drives successful phishing attacks
- Phishing links dominate because they blend into everyday communication flows
The primary delivery method for commercial spam is compromised accounts and free email services like Gmail, but many users place a lot of trust in these platforms, allowing spam to thrive.
VIPRE Security Group’s Q1 2026 Email Threat Trends Report claims that commercial spam now accounts for 46% of all spam observed globally, with 33% delivered via compromised accounts and another 32% originating from widespread free email hosting services.
About two-thirds of this spam originated from infrastructure based in the US, which is also the top target of these campaigns, accounting for 60% of all commercial spam volume.
The article continues below
Commercial spam fuels phishing and user fatigue
Commercial spam isn’t just a nuisance. It actively wears out users due to email fatigue, increasing their chances of falling for phishing attempts.
As inboxes fill up, employees become desensitized, increasing the likelihood that they will engage in malicious messages without proper investigation.
To accelerate this effect, attackers rely on misleading subject lines, aggressive language, and urgent campaigns designed to trigger quick responses.
The same psychological pressure feeds directly into phishing campaigns, which accounted for nearly 26% of all spam in the period.
In these attacks, malicious links remain the most effective weapon, appearing in more than half of all phishing emails analyzed.
In addition, abused URLs accounted for over 89% of the phishing infrastructure, showing a clear preference for manipulating legitimate-looking links.
This is why brands like Microsoft continue to be heavily counterfeited, often through “open redirects” that start on trusted domains before leading to malicious destinations.
Attackers evade detection using trusted infrastructure
As detection tools improve to identify newly registered domains, attackers are adjusting their approach rather than slowing down.
“Attackers are boldly using sophisticated techniques to avoid detection, alongside resorting to emotional triggers to manipulate and break trust,” said Usman Choudhary, General Manager, VIPRE Security Group.
“Organizations must strengthen email defenses and rethink how trust is established across all channels to combat these threats…There is no room for complacency.”
Instead of creating new domains, cybercriminals now rely on well-known, reputable URLs to blend in and avoid arousing suspicion.
To push this further, attackers are increasingly using Cloudflare to hide phishing links behind CAPTCHA and bot protection systems.
By doing so, they prevent security scanners from reaching the actual malicious content while making emails appear more credible to users.
Alongside these tactics, callback phishing continues to gain traction as a reliable method of deception.
These campaigns often use fake invoices, subscription renewals or urgent account alerts to get victims to get in touch.
Unfortunately, free email service providers like Gmail have little incentive to aggressively filter commercial spam when it drives user engagement metrics.
As a result, even the best secure email tools struggle when user behavior creates additional points of exposure and many threats appear to come from legitimate sources.
Until companies enforce strict policies on acceptable email use and implement modern tracking tools that analyze behavior rather than just content, the fatigue will continue to rise and the clicks will keep coming.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
