This Week in Email - April 1, 2026

What makes this particularly nasty: it abuses the legitimate Microsoft device code authentication flow, meaning the phishing page redirects to real Microsoft infrastructure. The kit provides affiliates with email harvesting tools, account reconnaissance, a built-in webmail interface, and AI-powered automation. This is the most significant new PhaaS platform to emerge in 2026, and email is the entry point for every attack chain.

The Hacker News | Help Net Security | Sekoia

Forrester published its Q1 2026 Wave for Email Marketing Service Providers, evaluating 12 vendors. Two came out on top: Cordial earned highest possible scores in 10 criteria including identity resolution, dynamic messaging, and pricing transparency (used by Levi's, L.L.Bean, Boot Barn). Zeta Global received the highest Strategy score of any vendor, with perfect 5.0 marks in 11 criteria including AI Approach, Innovation, and Roadmap.

Zeta's positioning reflects its aggressive M&A strategy — the $325M Marigold acquisition we covered previously is clearly paying dividends in the analyst community. Worth watching how this reshapes enterprise ESP selection in 2026.

Cordial • Zeta Global • Netcore

Kaspersky uncovered attackers using Bubble.io, a legitimate no-code app builder, to host phishing apps that steal Microsoft 365 credentials. Because the pages live on Bubble's trusted domain (*.bubble.io), email security filters don't flag the links. The Shadow DOM and complex JavaScript bundles generated by Bubble are opaque to static analysis tools, making detection extremely difficult.

The pattern is clear: attackers are systematically moving to legitimate platforms -- OAuth flows, no-code builders -- to evade URL reputation checks. Kaspersky expects this technique to spread to PhaaS kits. Watch for *.bubble.io URLs in phishing attempts.

Kaspersky | BleepingComputer

The Iran-linked Handala Hack Team breached FBI Director Kash Patel's personal Gmail account and published 300+ emails and personal photos. The leaked correspondence dates from 2010-2019, predating his role as FBI Director. Handala claimed retaliation for the FBI's seizure of several of the group's domains. The State Department has offered a $10 million reward for information identifying the group.

The sitting FBI Director's personal email getting popped is a reminder that personal email accounts remain prime targets for state-sponsored actors -- no matter how high your security clearance.

CNN | TechCrunch | NBC News

The first hard data is in. Omeda's analysis of billions of emails quantifies what Gmail's Gemini-powered AI features are doing to email metrics:

That's roughly a 10% relative decline in clicks, and the open rate inflation masks the actual engagement drop. This is the most consequential change to email metrics since Apple's Mail Privacy Protection.

Omeda | Folderly | MediaCat

Bitdefender Antispam Labs detected a sustained 130% average increase in phishing and malware campaigns targeting Gulf countries following the escalation of conflict involving Israel, the US, and Iran. Peak activity reached nearly 4x pre-war levels. The turning point was February 28, with malicious email volumes doubling within days and remaining elevated. Campaigns use business-themed lures -- invoices, contracts, banking, deliveries -- deploying Java-based RATs and fileless PowerShell chains. Palo Alto's Unit 42 corroborates the findings.

Geopolitical events translate directly into email threat spikes. Organizations with Middle East operations or partners should be on heightened alert.

Bitdefender | Unit 42

CyberProof MDR researchers (presented at RSAC 2026) identified an 8-10% increase in PXA Stealer activity targeting global financial institutions during Q1 2026. PXA has filled the gap left by 2025 takedowns of Lumma, Rhadamanthys, and RedLine. Campaigns use phishing emails with malicious URLs triggering ZIP downloads -- lures include CVs, Adobe installers, tax forms, and legal documents. Email remains the primary delivery vector for infostealers, and the whack-a-mole continues.

CyberProof | Hackread

A Russian national was sentenced to two years in prison after admitting the phishing botnet he managed launched BitPaymer ransomware attacks against 72 U.S. companies. Rare accountability for phishing-enabled ransomware operations.

BleepingComputer

Microsoft's high-volume sender requirements for Outlook.com are actively enforcing. Domains sending 5,000+ emails/day to Outlook.com must comply with SPF, DKIM, and DMARC (at least p=none). Non-compliant mail now returns 550 5.7.515 Access denied -- permanent rejection, not spam folder placement. Additional requirements include valid From/Reply-To addresses, functional unsubscribe links, and regular list hygiene.

Microsoft has moved from warnings to hard bounces. If you're a high-volume sender and haven't gotten compliant, you're already seeing delivery failures to Outlook/Hotmail/Live.com. This aligns Microsoft with Google and Yahoo's existing enforcement posture.

Microsoft | Proofpoint

Microsoft has again revised its SMTP AUTH Basic Authentication deprecation timeline:

This is a significant extension from the previously announced September 2025 and then March/April 2026 deadlines. The repeated postponement signals that migration is harder than Microsoft expected. The end is still coming -- prioritize OAuth migration.

Microsoft | Office 365 IT Pros

Deadline: April 8. Users of Spamhaus's free DNS Blocklists running on Oracle's network must transition to the free Data Query Service (DQS) before April 8. Starting April 9, Spamhaus will return error code 127.255.255.254 across Oracle's IP space. If your mail servers aren't configured to handle this code, all email could be rejected. The fix is free but requires config changes.

Spamhaus

Validity's Guy Hanson published a MarTech piece proposing three metrics to replace traditional opens and clicks:

The Disaffection Index is the most useful concept here: a campaign with decent click rates can still wreck your deliverability if it generates enough complaints or unsubscribes. As Hanson puts it, "The focus is shifting from simply reaching the inbox to proving you belong there."

MarTech

The Outlook deliverability issues reported in previous editions continued through March with no resolution. Administrators from small ISPs to public libraries and healthcare organizations report outbound messages rejected with 550 errors and vague "temporary rate-limited" notices. Microsoft's internal reputation engine appears to be mistakenly flagging clean IPs as spam sources. Many senders receive automated "no issue detected" replies while delivery remains blocked. E-commerce platforms have reported 48-hour order confirmation delays.

Separately, Microsoft cancelled plans to impose bulk email rate limits on Exchange Online, backing off from a previously announced policy. The combination of false-positive blocking, inadequate support, and cancelled rate-limiting plans signals significant internal confusion about email policy.

The Register | PYMNTS | BleepingComputer

Halon shipped two updates this week. Engage 26.1 (March 26) introduces Flow Dynamics, a new Delivery Guru feature for smarter delivery optimization. Protect 26.1 (March 31) strengthens gateway-enforced email encryption with PGP and enhanced S/MIME support. Two solid infrastructure releases in one week from the Swedish MTA vendor.

Halon Engage 26.1 | Halon Protect 26.1

Full results from the Forrester Wave EMSP Q1 2026, evaluating 12 vendors across 26 criteria:

Adobe's Leader position and Klaviyo's debut as a Strong Performer are the key new data points. Forrester's theme across the board: "competitive pressure, combined with the revolutionary power of AI, is pushing the limits of what the email medium can do."

Adobe | Klaviyo | Email Vendor Selection

Validity launched Engage, an AI email platform debuted at Litmus Live 2026, featuring specialized agents: Ignite (flags rendering, code, and compliance risks pre-send), Guardian (monitors subscriber experience and deliverability), and Expression (generates on-brand copy and variants). Trained on Validity's data network processing 2.5 billion data points daily.

The move into "AI agents" for email operations mirrors the agentic theme from RSAC. The unlimited pricing model -- no seat caps or usage-based restrictions -- is noteworthy as a market signal.

PR Newswire | MediaPost

Forrester's companion blog to the Wave report argues AI is driving a genuine functionality leap in email platforms -- not just incremental improvements. Conversational interfaces and proactive automation are now table stakes. Klaviyo's K:AI Marketing Agent builds entire email sequences autonomously. HubSpot's Breeze Agents resolve support tickets via email without human intervention. The shift is from AI-assisted to AI-autonomous email operations. The "agentic" theme from RSAC security vendors last week is now confirmed across the marketing platform side too.

Forrester

Practical guidance is emerging for adapting to Gmail's AI features: front-load key information in the first 100-200 characters (AI summaries pull from there), use direct subject lines and clear structure, and eliminate filler. Gmail's AI prioritizes concrete, actionable information over emotional language or marketing fluff. The good news: AI-optimized email is just good email. The bad news: mediocre email will perform even worse as summarization reduces the need to click.

Folderly | Zepic

The UK's National Cyber Security Centre officially retires its Mail Check and Web Check services today, March 31, 2026, after 8 years of operation. Mail Check provided free email security compliance assessment covering SPF, DMARC, TLS, and MTA-STS. The NCSC recommends organizations transition to commercial External Attack Surface Management (EASM) products. Multiple vendors (Valimail, dmarcian, Sendmarc, Red Sift) have offered migration paths.

Any UK public-sector organization that hasn't migrated is now flying blind on email authentication compliance. The NCSC's exit validates the maturity of the commercial market but leaves a gap for smaller organizations that relied on the free service.

NCSC | Red Sift migration guide