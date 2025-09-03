New techniques have been developed within the Tycoon phishing kit to hide malicious links in email attacks, researchers from Barracuda have warned.

The use of URL encoding, among other new techniques, are designed to better obscure, muddle and disrupt the structure of malicious links.

“This is intended to confuse automated detection systems and ensure the links aren’t blocked,” the researchers noted.

Tycoon’s evolution comes in response to improved capabilities of email security tools to detect and block dangerous links, Barracuda added in the report, published on September 3.

“Attackers are constantly inventing new and more sophisticated ways to disguise dangerous links in phishing emails. They use tricks with spaces, symbols and web addresses in a way that looks trustworthy at first glance. These methods make it much harder for people – and traditional security software – to tell if they are being lured to a risky website,” the researchers commented.

Tycoon is a Phishing-as-a-Service (PhaaS) platform available for cybercriminals to hire on the dark web. It offers advanced capabilities, including tools to bypass detection and multi-factor authentication (MFA).

New Link Obfuscation Capabilities

URL Encoding

The Barracuda researchers observed new URL encoding techniques in phishing emails masquerading as voicemail messages from a trusted accounting service.

The URL encoding used in the fake voicemail link inserted a series of invisible spaces into the web address, using the code ‘%20’. This is designed to push the malicious part of the link out of sight of security scans.

It also added odd characters, including a Unicode symbol that looks like a dot but isn’t one.

Additionally, a hidden email address or special code was observed being included at the end of the web address.