Barracuda full logo

Email Threat Radar — November 2025

Topics:
Nov. 12, 2025
|
Threat Analyst Team

Over the last month, Barracuda threat analysts have seen the following notable developments in email-based threats targeting organizations:

  • New tools and tactics for the Tycoon 2FA phishing kit
  • Invisible characters that help Cephas kit evade scanners and rules
  • A sophisticated attack involving steganography (image-concealed malware)

What’s new in Tycoon’s toolkit

Tycoon 2FA is a prominent and successful phishing kit that continues to be a serious threat to business despite being around since August 2023. Tycoon’s main goal is to steal login details from Microsoft 365 and, more recently, Google Workspace accounts.  It tricks employees into handing over passwords and two-factor authentication codes.

What makes Tycoon dangerous is how often it changes. Each new version includes small but clever updates that help it to avoid detection by traditional security tools.

Here are some of the latest changes seen in recent versions:

CAPTCHA challenges: To appear more legitimate and to slow down automated security tools, Tycoon now includes different types of CAPTCHA tests, including image-based puzzles and “press and hold” challenges.

More realistic URLs: The latest web addresses mimic real login sequences, including OAuth2-style links and unique codes, making them harder to spot as fake.
Compressed code: The latest phishing pages use a method called LZString compression to shrink and hide large parts of the code. This code is then unpacked and run directly in the victim’s browser, making it harder for security tools to catch.

Dynamic execution: This means that the hidden code is only fully revealed and run once the page is loaded, helping it to stay under the radar.

To protect against such attacks: Implement security solutions that offer layered security controls. Look for ones that offer anti-phishing tools, adaptive authentication and continuous monitoring to help detect the kind of intercepting adversary-in-the-middle (AiTM) tactics used by threats like Tycoon 2FA.)

Cephas kit uses invisible characters to block scanners and rules

Cephas is an emerging phishing kit first seen in August 2024. The code features a significant number of astronomy and bible-related comments.

What makes Cephas noteworthy is that it implements a distinctive and uncommon obfuscation technique. The kit obscures its code by creating random invisible characters within the source code that help it to evade anti-phishing scanners and obstruct signature-based YARA rules from matching the exact phishing methods.

To protect against such attacks: Enforce MFA for all users, especially for cloud services like Microsoft 365. Consider using phishing-resistant methods such as hardware security keys rather than SMS or app-based codes.

Stealthy malware hides in images to avoid detection

Steganography is a sophisticated attack technique that involves hiding data inside something that looks harmless, such as an image. Unlike encryption, which hides data content, steganography hides the existence of data. This makes it much harder to detect.

Barracuda’s threat analysts recently spotted a phishing campaign leveraging steganography.

The attack starts with a phishing email that looks like a genuine business message, such as an order or pricing inquiry. In the samples analyzed, the emails included links to files hosted on a popular and legitimate file sharing service.

However, the files are actually malicious JavaScript files that have been heavily disguised to make it hard for security systems to recognize them as dangerous.

When a user clicks on the link, the JavaScript file is downloaded. The file contains hidden code that’s been scrambled using special characters and encoding. Once unscrambled, it reveals a command that launches PowerShell, a built-in Windows tool often used by attackers to run code without leaving obvious traces.
This PowerShell command fetches a PNG image from another legitimate site. Hidden inside the image is the real malware, encoded in a way that makes it invisible to security software. 

By hiding malware inside images and using trusted platforms, the attackers bypass many traditional security measures.

The malware used in this phishing campaign also leverages several other sophisticated tricks to stay hidden:

  • It disguises its code with confusing names and scrambled text.
  • It runs commands in the background without showing any windows.
  • It avoids writing anything to disk and instead hides in the device’s memory, making it harder to trace.

This attack shows how everyday email threats are now using advanced and subtle techniques previously mainly associated with apex attackers like advanced persistent threats (ATPs).

To protect against such attacks: Look for warning signs such as the appearance of unusually large media files or files containing duplicate content, as well as unexpected outbound traffic or traffic to unknown domains.

Strengthen your security with multi-modal AI-based email protection that includes heuristic and behavioral analysis and can correlate and analyze a wide range of text and visual data types — including URLs, documents, images, QR codes and more.

It is also worth blocking macros in documents by default and restricting the range of file types allowed through email and web uploads.

How Barracuda Email Protection can help your organization

Barracuda Email Protection offers a comprehensive suite of features designed to defend against advanced email threats.

It includes capabilities such as Email Gateway Defense, which protects against phishing and malware, and Impersonation Protection, which safeguards against social engineering attacks.

Additionally, it provides Incident Response and Domain Fraud Protection to mitigate risks associated with compromised accounts and fraudulent domains. The service also includes Cloud-to-Cloud Backup and Security Awareness Training to enhance overall email security posture.

Barracuda combines artificial intelligence and deep integration with Microsoft 365 to provide a comprehensive cloud-based solution that guards against potentially devastating, hyper-targeted phishing and impersonation attacks.

Further information is available here.

See how Barracuda can help protect your business
Threat Analyst Team

The Threat Analyst Team at Barracuda focuses on detecting, analyzing, and mitigating emerging threats. Dedicated to protecting customers from cyberattacks, the team leverages advanced technologies and threat intelligence to provide actionable insights and proactive defense strategies.

Related Posts:
West Chester CISO stays ahead of threats with Barracuda
West Chester CISO stays ahead of threats with Barracuda
 Introducing Barracuda Assistant: Your AI-powered partner for faster, smarter security operations
Introducing Barracuda Assistant: Your AI-powered partner for faster, smarter security operations
 Cybersecurity Awareness Month: Staying ahead of evolving phishing threats
Cybersecurity Awareness Month: Staying ahead of evolving phishing threats
 Email breach delays can multiply ransomware risk eight-fold
Email breach delays can multiply ransomware risk eight-fold
Search the blog

The Ransomware Insights Report 2025

Key findings about the experience and impact of ransomware on organizations worldwide

Get the report

Subscribe to the Barracuda Blog.

Sign up to receive threat spotlights, industry commentary, and more.

Managed Vulnerability Security: Faster remediation, fewer risks, easier compliance 

See how easy it can be to find the vulnerabilities cybercriminals want to exploit

WATCH THE WEBINAR

Sign up to receive threat spotlights, industry commentary, and more.

Get all the latest news, research, and analysis delivered right to your inbox.