'Nearly two-thirds of spam came from US-based infrastructure': Your free Gmail account could be helping criminals send 46% of all commercial spam while wearing down employees with email fatigue

• Trusted email platforms are now the easiest entry point for attackers
• Spam is no longer noise; it actively drives successful phishing attacks
• Phishing links dominate because they blend into everyday communication flows

The primary delivery method for commercial spam is compromised accounts and free email services like Gmail, but many users place a lot of trust in these platforms, allowing the spam to thrive.

VIPRE Security Group's Q1 2026 Email Threat Trends Report claims commercial spam now accounts for 46% of all spam observed globally, with 33% delivered through compromised accounts and another 32% originating from widely used free email hosting services.

About two-thirds of that spam originated from infrastructure based in the United States, which also remains the top target for these campaigns, accounting for 60% of all commercial spam volume.

Commercial spam fuels phishing and user fatigue

Commercial spam is not just a nuisance. It actively wears down users through email fatigue, increasing their chances of falling for phishing attempts.

As inboxes fill up, employees become desensitized, increasing the likelihood that they will engage with malicious messages without proper scrutiny.

To accelerate this effect, attackers rely on misleading subject lines, aggressive language, and urgent promotions designed to trigger quick reactions.

That same psychological pressure feeds directly into phishing campaigns, which made up nearly 26% of all spam during the period.

In these attacks, malicious links remain the most effective weapon, appearing in more than half of all phishing emails analyzed.

Beyond that, abused URLs accounted for over 89% of phishing infrastructure, showing a clear preference for manipulating legitimate-looking links.

This is why brands like Microsoft continue to be heavily spoofed, often through “open redirects” that start on trusted domains before leading to malicious destinations.

Attackers evade detection using trusted infrastructure

As detection tools improve at identifying newly registered domains, attackers are adjusting their approach rather than slowing down.

"Attackers are boldly using sophisticated techniques to evade detection, alongside resorting to emotional triggers to manipulate and breach trust,” says Usman Choudhary, General Manager, VIPRE Security Group.

“Organizations must strengthen email defenses and rethink how trust is established across every channel to combat these threats... There is no room for complacency.”

Instead of creating new domains, cybercriminals now rely on familiar, reputable web addresses to blend in and avoid raising suspicion.

To push this further, attackers increasingly use Cloudflare to hide phishing links behind CAPTCHA and bot protection systems.

By doing so, they prevent security scanners from reaching the actual malicious content, while making the emails appear more trustworthy to users.

Alongside these tactics, callback phishing continues to gain traction as a reliable method of deception.

These campaigns often use fake invoices, subscription renewals, or urgent account alerts to prompt victims into making contact.

Unfortunately, free email service providers like Gmail have little incentive to aggressively filter commercial spam when it drives user engagement metrics.

As a result, even the best secure email tools struggle when user behavior creates additional exposure points, and many threats appear to come from legitimate sources.

Until businesses enforce strict policies on acceptable email use and deploy modern detection tools that analyze behavior rather than just content, the fatigue will continue to mount, and the clicks will keep coming.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.