Threat Spotlight: Tycoon phishing kit reveals new techniques to hide malicious links

Phishing emails often feature malicious links (URLs) that lead victims to fake websites where they are infected with harmful software or tricked into giving away personal information such as their account credentials.

As security tools get better at detecting and blocking these dangerous links, attackers find devious new ways of hiding them to get past security systems.

Barracuda’s threat analysts have reported previously on such evolving and increasingly sophisticated tactics. This article looks at some of the latest approaches the team is seeing in attacks involving the advanced phishing-as-a-service (PhaaS) kit, Tycoon. The attacks feature techniques designed to obscure, muddle and disrupt the structure of links. This is intended to confuse automated detection systems and ensure the links aren’t blocked.

Hiding links using spaces and obscure characters

The analysts found Tycoon using URL-encoding techniques to hide malicious links in attacks leveraging a trusted accounting service.

The attacks feature carefully crafted and tailored voicemail messages:

The URL encoding used by the attackers involves the following actions:

• Inserting a series of invisible spaces into the web address (using the code ‘%20’) to push the malicious part of the link out of sight of security scans
• Adding odd characters, like a ‘Unicode’ symbol that looks just like a dot but isn’t one
• Inserting a hidden email address or special code at the end of the web address

The encoded path can also serve as a tracker or trigger a malicious redirect.

This is what a URL with coded (%20) spaces looks like:

By using unexpected and unusual codes and symbols and making the visible web address look less suspicious and more like a normal website, the encoding technique is designed to trick security systems and make it harder for recipients and traditional filters to recognize the threat.

The Tycoon attacks also include a fake verification stage — a convincing CAPTCHA ‘prove you’re not a robot’ test — to make the website seem more legitimate and bypass basic security checks.

Adding extra parts to a web address to hide the real destination

Analysts also found attackers using the Redundant Protocol Prefix technique. This involves crafting a URL that is only partially hyperlinked or that contains invalid elements — such as two ‘https’ or no ‘//’ — to hide the real destination of the link while ensuring the active part looks benign and legitimate and doesn’t arouse suspicion among targets or their browser controls.

Another trick is using the ‘@’ symbol in a web address. Everything before the ‘@’ is treated as ‘user info’ by browsers, so attackers put something that looks reputable and trustworthy in this part, such as ‘office365’. The link’s actual destination comes after the ‘@’.

For example:

What recipients and filters see: hxxps:office365Scaffidips[.]azgcvhzauig[.]es\If04

Where it really goes: After the ‘@’ to a hidden, attacker-run website

Attackers may also use web addresses with strange symbols, such as backslashes ‘\’ or dollar signs ‘$’, which aren’t normally used in URLs. These odd characters can disrupt how security tools read the address, helping a toxic link to slip unnoticed through automated detection systems.

The analyst team has recently seen Redundant Protocol tactics used in a Tycoon attack impersonating Microsoft 365.

In this instance, the attackers crafted a URL where the first part is benign and hyperlinked, and the second, malicious part appears as plain text. When users copy and paste the entire URL into their browser, it leads them to a credential-stealing phishing page belonging to the Tycoon phishing kit. Since the malicious part of the link isn’t connected to anything, it isn’t read properly by security tools.

Abusing subdomains to look trustworthy

The Tycoon attack also featured another benign/malicious split, this time for subdomains.

The attackers created fake websites using names seemingly linked to well-known companies. For example, 'office365Scaffidips.azgcvhzauig.es.' This gives the impression that the user is dealing with a Microsoft subdomain. However, the last part of the web address: ‘azgcvhzauig.es’ is an attacker-owned phishing site.

Conclusion

Attackers are constantly inventing new and more sophisticated ways to disguise dangerous links in phishing emails. They use tricks with spaces, symbols and web addresses in a way that looks trustworthy at first glance. These methods make it much harder for people — and traditional security software — to tell if they are being lured to a risky website.

The best defense is a multilayered approach with various levels of security that can spot, inspect and block unusual or unexpected activity. Solutions that include AI and machine-learning capabilities, both at the email gateway level and post-delivery, will ensure companies are well protected. As with all email-borne threats, security measures should be complemented by active and regular security awareness training for employees on the latest threats and how to spot and report them.

Note: Ashitosh Deshnur assisted with the research for this report.

Barracuda’s threat analysts report regularly on evolving email threats and attack tactics. Subscribe to our blog for updates.