The hackers behind the popular Tycoon
phishing-as-a-service (PhaaS) operation are using new techniques to hide malicious links to fake websites designed to deploy malware or steal credentials and other sensitive data from their targets.
It’s part of the ongoing cat-and-mouse nature of cybersecurity, according to a researcher with
Barracuda Networks: As security solutions get better at detecting and defending against such dangerous links, the bad actors behind Tycoon and other cyberthreats look for ways to get around such protections.
“Attackers are constantly inventing new and more sophisticated ways to disguise dangerous links in phishing emails,”
Megharaj Balaraddi, associate threat analyst at Barracuda,
wrote in a blog post this week. “They use tricks with spaces, symbols and web addresses in a way that looks trustworthy at first glance. These methods make it much harder for people – and traditional security software – to tell if they are being lured to a risky website.”
For Tycoon, that includes using spaces or unusual characters as URL encoding techniques to hide malicious links. Those using the PhaaS platform can insert a series of invisible spaces into the web address by adding the code “%20” multiple times in the address, which will push the malicious part of the link beyond the sight of security scans, Balaraddi wrote.
They also can add such strange characters as a “Unicode” symbol, which looks like a dot but isn’t one, or insert a hidden email address or special code at the end of a web address. With Tycoon, the attacks also include a fake verification page that offers up a convincing-looking CAPTCHA test to give the target more confidence that what they’re seeing is legitimate.
“By using unexpected and unusual codes and symbols and making the visible web address look less suspicious and more like a normal website, the encoding technique is designed to trick security systems and make it harder for recipients and traditional filters to recognize the threat,” Balaraddi wrote.
The Redundant Protocol Prefix
Other tricks include using a technique called the “redundant protocol prefix,” which involves creating a URL that is partially hyperlinked or that contains such invalid elements as two “https” or symbols like dollar signs or backslashes that aren’t normally used in URLs to give it a benign look while hiding the real – and malicious – destination of the link.
Bad actors also can use the “@” symbol in a web address.
“Everything before the ‘@’ is treated as ‘user info’ by browsers, so attackers put something that looks reputable and trustworthy in this part, such as ‘office365,’” Balaraddi wrote. “The link’s actual destination comes after the ‘@.’”
Barracuda researchers recently saw redundant protocol prefix practices used in an attack impersonating Microsoft 365, where the first part of the URL was benign and hyperlinked and the second malicious part appearing as plain text. If a user copies and pastes the entire URL into a browser, they’re sent to a credential-stealing phishing page that’s part of the Tycoon phishing kit.
“Since the malicious part of the link isn’t connected to anything, it isn’t read properly by security tools,” he wrote.
Tycoon users can also create subdomains that look legitimate but lead the victim to a phishing site.
Tracking Tycoon
The Campbell, California-based application, data, and network security firm and
other vendors have been
tracking Tycoon since its emergence in 2023 and detailing new techniques as the operators add them. The latest report comes as phishing continues to be a favored way for bad actors to gain access into networks and to the data they hold.
In their
2025 Email Threats Report released in April, Barracuda found that malicious or unwanted spam accounts for 24% of all email messages, 23% of HTML attachments are malicious, and that 68% of malicious PDF attachments and 83% of malicious Microsoft documents contain QR codes that will take victims to phishing sites.
The rising number and
sophistication of phishing attacks is pushing organizations to look to MSSPs and MSPs to help protect them, according to
Keepnet, which offers a platform for security awareness training and simulated phishing attacks.
The UK-based company earlier this year
pointed to a CISA report that said that
more than 90% of cyberattacks begin with someone clicking on a phishing link.
“For MSPs and MSSPs, this statistic underscores a hard truth: human error remains the weakest link in cybersecurity defenses,” Keepnet stated.
A Booming Market for Platforms
Keepnet is among a growing number of companies that offer phishing simulation platforms to organizations and MSSPs, fueling a global market that is expected to grow from $113 billion this year to
almost $184 billion by 2032.
Other vendors include Barracuda,
KnowBe4,
Sophos,
Proofpoint, and
HoxHunt.
BitLyft is an MSSP that offers its BitLyft AIR (Automated Incident Response) managed security service platform.
“Phishing remains one of the most dangerous and frequent cyber threats, targeting businesses of all sizes with increasingly deceptive tactics,” BitLyft founder and CEO
Jason Miller wrote last month. “From credential harvesting to ransomware delivery, phishing is the gateway to some of the most damaging attacks.” Managed phishing security enables MSSPs to bring advanced tools and expertise to customers, Miller wrote, adding that “attackers use phishing because it works – and it’s cheap. ... Phishing exploits human error more than technical flaws. What makes it worse is how fast these attacks evolve. Without dedicated resources and continuous updates, even strong security teams can miss the signs until it’s too late.”
