SYDNEY, Australia – 4 September 2025 – Barracuda threat analysts have published a report on the latest techniques being used by the Tycoon phishing-as-a-service (PhaaS) kit to hide malicious links in emails. The techniques are designed to obscure, muddle and disrupt the structure of links, or URLs, with the aim of confusing automated detection systems and ensuring the links aren’t blocked.

The URL obscuring techniques detected by Barracuda threat analysts include:

• Inserting a series of invisible spaces into the malicious link by entering the code ‘%20’ repeatedly in its address line.
• Adding obscure characters such as a ‘Unicode’ symbol into the link that looks just like a dot but isn’t one.
• Inserting a hidden email address or special code at the end of the link.
• Crafting a URL that is only partially hyperlinked or which contains invalid elements – such as two ‘https’ or no ‘//’ – to hide the real destination of the link while ensuring the active part looks benign.
• Using the ‘@’ symbol in the link address. Everything before the ‘@’ is treated as ‘user info’ by browsers, so attackers put something that looks reputable and trustworthy in this part, such as ‘office365’. The link’s actual destination comes after the ‘@’.
• Using web links with strange symbols, such as backslashes ‘’ or dollar signs ‘$’ which aren’t normally used in URLs. These odd characters can disrupt how security tools read the address, helping a toxic link to slip unnoticed through automated detection systems.
• Creating a URL where the first part is benign and hyperlinked, and the second, malicious, part appears as plain text. Since the malicious part of the link isn’t connected to anything, it isn’t read properly by security tools.

“Security tools are increasingly effective at spotting and blocking malicious links in phishing emails and this is driving attackers to continuously invent new and more sophisticated ways to disguise such links,”said Saravanan Mohankumar, Manager, Threat Analysis team at Barracuda.

“Attackers use tricks with spaces, symbols and web addresses that look trustworthy at first glance but which make it much harder for people—and traditional security software—to spot that they lead to a dangerous website.”

The best defence against such new and emerging techniques is a multilayered approach, with various levels of security that can spot, inspect and block unusual or unexpected activity. Solutions that include AI and machine-learning capabilities, both at the email gateway level and post-delivery, will ensure companies are well protected. As with all email-borne threats, security measures should be complemented by active and regular security awareness training for employees on the latest threats and how to spot and report them.

To read the blog: https://blog.barracuda.com/2025/09/03/threat-spotlight-tycoon-phishing-kit-hide-malicious-links

About Barracuda

Barracuda is a leading global cybersecurity company providing complete protection against complex threats for all sized businesses. Our AI-powered BarracudaONE platform secures email, data, applications, and networks with innovative solutions, managed XDR and a centralised dashboard to maximise protection and strengthen cyber resilience. Trusted by hundreds of thousands of IT professionals and managed service providers worldwide, Barracuda delivers powerful defences that are easy to buy, deploy and use.