- Trusted email platforms are now the easiest entry point for attackers
- Spam is no longer noise; actively drives successful phishing attacks
- Phishing links dominate because they blend into everyday communication flows.
The main delivery method for commercial spam is compromised accounts and free email services like Gmail, but many users rely heavily on these platforms, allowing spam to thrive.
VIPRE Security Group’s Q1 2026 Email Threat Trends Report states that commercial spam now accounts for 46% of all spam observed globally, with 33% delivered via compromised accounts and another 32% originating from widely used free email hosting services.
About two-thirds of that spam originated from US-based infrastructure, which also remains the primary target of these campaigns and accounts for 60% of all commercial spam volume.
Article continues below.
Commercial spam fuels phishing and user fatigue
Commercial spam is not just a nuisance. It actively wears out users due to email fatigue, increasing their chances of falling for phishing attempts.
As inboxes fill up, employees become desensitized, increasing the likelihood that they will receive malicious messages without proper analysis.
To accelerate this effect, attackers rely on misleading subject lines, aggressive language, and urgent promotions designed to provoke quick reactions.
That same psychological pressure directly fuels phishing campaigns, which accounted for nearly 26% of all spam during the period.
In these attacks, malicious links remain the most effective weapon, appearing in more than half of all phishing emails analyzed.
Beyond that, abused URLs accounted for more than 89% of the phishing infrastructure, showing a clear preference for manipulating links that look legitimate.
This is why brands like Microsoft continue to be heavily spoofed, often through “open redirects” that start on trusted domains before leading to malicious destinations.
Attackers evade detection by using trusted infrastructure
As detection tools get better at identifying newly registered domains, attackers are adjusting their approach rather than slowing down.
“Attackers are boldly using sophisticated techniques to evade detection, as well as resorting to emotional triggers to manipulate and violate trust,” says Usman Choudhary, CEO of VIPRE Security Group.
“Organizations must strengthen defenses against email and rethink how trust is established across channels to combat these threats… There is no room for complacency.”
Instead of creating new domains, cybercriminals now rely on well-known, reputable web addresses to blend in and avoid arousing suspicion.
To drive this even further, attackers are increasingly using Cloudflare to hide phishing links behind CAPTCHA and bot protection systems.
By doing so, they prevent security scanners from reaching the actual malicious content while making emails appear more trustworthy to users.
In addition to these tactics, callback phishing continues to gain ground as a reliable method of deception.
These campaigns often use fake invoices, subscription renewals, or urgent account alerts to entice victims to make contact.
Unfortunately, providers of free email services like Gmail have little incentive to aggressively filter out commercial spam when it drives user engagement metrics.
As a result, even the most secure email tools run into problems when user behavior creates additional points of exposure and many threats appear to come from legitimate sources.
Until companies enforce strict policies on acceptable email use and implement modern detection tools that analyze behavior rather than just content, fatigue will continue to increase and the clicks will continue to come.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
