{"id":2707,"date":"2025-09-07T09:52:55","date_gmt":"2025-09-07T09:52:55","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/09\/07\/tycoon-phishing-kit-utilizes-new-capabilities-to-hide-malicious-links\/"},"modified":"2025-09-07T09:52:55","modified_gmt":"2025-09-07T09:52:55","slug":"tycoon-phishing-kit-utilizes-new-capabilities-to-hide-malicious-links","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/09\/07\/tycoon-phishing-kit-utilizes-new-capabilities-to-hide-malicious-links\/","title":{"rendered":"Tycoon Phishing Kit Utilizes New Capabilities to Hide Malicious Links"},"content":{"rendered":"<div id=\"cphContent_pnlMainContent\">\n<h2>Written by<\/h2>\n<div>\n<p><img decoding=\"async\" src=\"http:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/32483240-27a8-4f36-ac60-9d465c05a5d5.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of James Coker\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-7addc586-9a11-4599-aefd-eec0a542e692\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>New techniques have been developed within the Tycoon phishing kit to hide malicious links in email attacks, researchers from Barracuda have warned.<\/p>\n<p>The use of URL encoding, among other new techniques, are designed to better obscure, muddle and disrupt the structure of malicious links.<\/p>\n<p>\u201cThis is intended to confuse automated detection systems and ensure the links aren\u2019t blocked,\u201d the researchers noted.<\/p>\n<p>Tycoon\u2019s evolution comes in response to improved capabilities of email security tools to detect and block dangerous links, Barracuda added in the report, published on September 3.<\/p>\n<p>\u201cAttackers are constantly inventing new and more sophisticated ways to disguise dangerous links in phishing emails. They use tricks with spaces, symbols and web addresses in a way that looks trustworthy at first glance. These methods make it much harder for people \u2013 and traditional security software \u2013 to tell if they are being lured to a risky website,\u201d the researchers commented.<\/p>\n<p>Tycoon is a Phishing-as-a-Service (PhaaS) platform available for cybercriminals to hire on the dark web. It offers advanced capabilities, including tools to bypass detection and multi-factor authentication (MFA).<\/p>\n<p><em>Read now: Tycoon 2FA Phishing Kit Upgraded to Bypass Security Measures<\/em><\/p>\n<h2><strong>New Link Obfuscation Capabilities<\/strong><\/h2>\n<h3><strong>URL Encoding<\/strong><\/h3>\n<p>The Barracuda researchers observed new URL encoding techniques in phishing emails masquerading as voicemail messages from a trusted accounting service.<\/p>\n<p>The URL encoding used in the fake voicemail link inserted a series of invisible spaces into the web address, using the code \u2018%20\u2019. This is designed to push the malicious part of the link out of sight of security scans.<\/p>\n<p>It also added odd characters, including a Unicode symbol that looks like a dot but isn\u2019t one.<\/p>\n<p>Additionally, a hidden email address or special code was observed being included at the end of the web address.<\/p>\n<\/p><\/div>\n<figure id=\"layout-f0a6e138-3d6b-4266-a00c-3c3ac1f38bf4\" data-layout-id=\"4\" data-edit-folder-name=\"image\" data-index=\"1\"><img decoding=\"async\" src=\"http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/localimages\/d6a5cdf9-b7fe-4d46-8044-5483af965cb0.png\" alt=\"How the URL with coded %20 spaces appears in the phishing email. Source: Barracuda\"><figcaption>How the URL with coded %20 spaces appears in the phishing email. Source: Barracuda<\/figcaption><\/figure>\n<div id=\"layout-20495fdb-3f90-4c43-a0d2-29e05755c025\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"2\">\n<p>\u201cBy using unexpected and unusual codes and symbols and making the visible web address look less suspicious and more like a normal website, the encoding technique is designed to trick security systems and make it harder for recipients and traditional filters to recognize the threat,\u201d the researchers wrote.<\/p>\n<p>The Tycoon attacks also include a fake CAPTCHA verification stage before redirecting the victim to the attacker-controlled website. This is designed to make the website appear more legitimate and bypass basic security checks.<\/p>\n<h3><strong>Redundant Protocol Prefix Technique<\/strong><\/h3>\n<p>Tycoon phishing attacks also utilized the Redundant Protocol Prefix technique, which involves crafting a URL that is only partially hyperlinked or contains invalid elements.<\/p>\n<p>Examples include \u2018https\u2019 or no \u2018\/\/\u2019 in the link.<\/p>\n<p>This approach aims to hide the real destination of the link while ensuring the active part looks benign and legitimate and doesn\u2019t arouse suspicion among targets or their browser controls.<\/p>\n<p>Another approach is using the \u2018@\u2019 symbol in a web address. This is because everything before the \u2018@\u2019 is treated as \u2018user info\u2019 by browsers, therefore the attackers put something that looks reputable and trustworthy in this part, such as \u2018office365\u2019.<\/p>\n<p>The link\u2019s actual destination comes after the \u2018@\u2019 symbol.<\/p>\n<h3><strong>Subdomain Abuse<\/strong><\/h3>\n<p>Another approach used to obfuscate malicious links in Tycoon attacks again involved a benign\/malicious split, this time for subdomains.<\/p>\n<p>The attackers created fake websites using names seemingly linked to well-known companies, such as &#8216;office365Scaffidips.azgcvhzauig.es.&#8217;<\/p>\n<p>This makes the user think it is dealing with a Microsoft subdomain, but the last part of the web address is an attacker-owned phishing site.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Written by New techniques have been developed within the Tycoon phishing kit to hide malicious links in email attacks, researchers from Barracuda have warned. The use of URL encoding, among other new techniques, are designed to better obscure, muddle and disrupt the structure of malicious links. \u201cThis is intended to confuse automated detection systems and<\/p>\n","protected":false},"author":2,"featured_media":2708,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2707","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2707-b31eaee1-255d-4bb6-ad61-db440e8dd81f.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2707-b31eaee1-255d-4bb6-ad61-db440e8dd81f-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2707-b31eaee1-255d-4bb6-ad61-db440e8dd81f.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2707-b31eaee1-255d-4bb6-ad61-db440e8dd81f.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2707-b31eaee1-255d-4bb6-ad61-db440e8dd81f.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2707-b31eaee1-255d-4bb6-ad61-db440e8dd81f.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2707-b31eaee1-255d-4bb6-ad61-db440e8dd81f.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2707-b31eaee1-255d-4bb6-ad61-db440e8dd81f.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2707-b31eaee1-255d-4bb6-ad61-db440e8dd81f.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2707-b31eaee1-255d-4bb6-ad61-db440e8dd81f.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2707-b31eaee1-255d-4bb6-ad61-db440e8dd81f-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2707","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2707"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2707\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2708"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2707"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2707"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2707"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}