Barracuda threat analysts have published a report on the latest techniques being used by the Tycoon phishing-as-a-service (PhaaS) kit to hide malicious links in emails. The techniques are designed to obscure, muddle and disrupt the structure of links, or URLs, with the aim of confusing automated detection systems and ensuring the links aren’t blocked.
The URL obscuring techniques detected by
Barracuda threat analysts include:
· Inserting a series of invisible spaces
into the malicious link by entering the code ‘%20’ repeatedly in its address
line.
· Adding obscure characters such as a
‘Unicode’ symbol into the link that looks just like a dot but isn’t one.
· Inserting a hidden email address or
special code at the end of the link.
· Crafting a URL that is only partially
hyperlinked or which contains invalid elements – such as two ‘https’ or no ‘//’
- to hide the real destination of the link while ensuring the active part looks
benign.
· Using the ‘@’ symbol in the link
address. Everything before the ‘@’ is treated as ‘user info’ by browsers, so
attackers put something that looks reputable and trustworthy in this part, such
as ‘office365’. The link’s actual destination comes after the ‘@’.
· Using web links with strange symbols,
such as backslashes ‘\’ or dollar signs ‘$’, which aren’t normally used in
URLs. These odd characters can disrupt how security tools read the address,
helping a toxic link to slip unnoticed through automated detection systems.
· Creating a URL where the first part is
benign and hyperlinked, and the second, malicious, part appears as plain text.
Since the malicious part of the link isn’t connected to anything, it isn’t read
properly by security tools.
“Security tools are increasingly effective at
spotting and blocking malicious links in phishing emails, and this is driving
attackers to continuously invent new and more sophisticated ways to disguise
such links,” said Saravanan Mohankumar, Manager, Threat Analysis team
at Barracuda. “Attackers use tricks with spaces, symbols and web addresses
that look trustworthy at first glance but which make it much harder for people
and traditional security software to spot that they lead to a dangerous
website.”
The best defence against such new and emerging
techniques is a multilayered approach, with various levels of security that can
spot, inspect and block unusual or unexpected activity. Solutions that include
AI and machine-learning capabilities, both at the email gateway level and
post-delivery, will ensure companies are well protected. As with all
email-borne threats, security measures should be complemented by active and
regular security awareness training for employees on the latest threats and how
to spot and report them.
National, 04th September, 2025
