Barracuda has detected over a million phishing-as-a-service (PhaaS) attacks in the first two months of 2025, highlighting the increasing sophistication of cyber threats targeting email users worldwide.
Researchers have reported a significant outbreak of attacks generated by the Tycoon phishing platform, which employs advanced evasion techniques to bypass traditional security measures and deceive recipients into clicking malicious links.
New phishing techniques
The latest Barracuda report details a range of methods used by the Tycoon platform to disguise dangerous links in phishing emails. These techniques focus on confusing automated detection systems by altering the appearance and structure of web addresses (URLs).
Among the identified tactics is inserting a series of invisible spaces by repeatedly entering the ‘%20’ code into a URL, causing the web address to appear legitimate to both humans and machines while obscuring its true destination. Another method involves the use of obscure characters, such as a Unicode symbol resembling a dot, which can be mistaken for a standard period but functions differently in a web context.
Tycoon-generated links may also feature hidden email addresses or special codes appended to the end of a URL, as well as the inclusion of unexpected symbols such as backslashes (”) or dollar signs (‘$’) that disrupt typical URL formats. These characters are rarely used in legitimate website addresses, making them effective for bypassing pattern-matching security tools.
Crafted URLs
Barracuda’s threat analysts have documented phishing attacks where URLs are structured in a way that only part of the web address is hyperlinked, with the remaining segment left as plain text. This tactic allows the dangerous section to evade detection by security solutions that analyse only clickable components.
Attackers also manipulate URL elements by using two ‘https’ sections or omitting key markers such as ‘//’ to obscure the real destination of a link, all while ensuring the visible portion appears benign. In some cases, the ‘@’ symbol is employed, with everything preceding the symbol crafted to look reputable, such as ‘office365,’ while the actual destination, often malicious, follows after the ‘@’ sign.
Barracuda warns that these methods are designed not only to confuse technical defences but also to deceive users who may skim over the details of an address, increasing the risk of successful phishing attempts.
Expert commentary
Attackers use tricks with spaces, symbols and web addresses that look trustworthy at first glance but which make it much harder for people – and traditional security software – to spot that they lead to a dangerous website.
This warning was issued by Saravanan Mohankumar, Manager of the Threat Analysis team at Barracuda. Mohankumar further explained the ongoing evolution of cyber threats, stating, “Security tools are increasingly effective at spotting and blocking malicious links in phishing emails and this is driving attackers to continuously invent new and more sophisticated ways to disguise such links.”
Preventative measures
Barracuda’s current guidance recommends a “multilayered approach” to protection, combining various security measures that can identify, analyse, and block abnormal behaviours. This includes integrating artificial intelligence and machine learning at the email gateway and after email delivery, to improve detection rates for unusual or complex phishing attempts.
The company also emphasises the importance of comprehensive security awareness training for employees, aiming to equip end-users with up-to-date knowledge and the ability to recognise and report suspicious messages. Regular training ensures a human layer of defence remains effective against threats that may bypass automated controls.
As phishing techniques continue to develop, the report underscores the challenges facing both technology providers and users in identifying and preventing email-borne threats. Security teams are encouraged to remain vigilant for emerging tactics and adapt their defences accordingly.