Tycoon Phishing Kit Unveils New Link-Hiding Tricks
Designed Specifically to Obscure, Muddle, and Disrupt the Structure of Links or URLs.

Barracuda threat analysts have published a report on the latest techniques being used by the Tycoon phishing-as-a-service (PhaaS) kit to hide malicious links in emails. The techniques are designed to obscure, muddle, and disrupt the structure of links, or URLs, with the aim of confusing automated detection systems and ensuring the links are not blocked.
The URL obscuring techniques detected by Barracuda threat analysts include inserting a series of invisible spaces into the malicious link by entering the code ‘%20’ repeatedly in its address line, and adding obscure characters such as a ‘Unicode’ symbol into the link that looks just like a dot but is not one. Attackers may also insert a hidden email address, or special code, at the end of the link.
Other tactics used by the Tycoon phishing kit include:
- Crafting a URL that is only partially hyperlinked, or which contains invalid elements – such as two ‘https’ or no ‘//’ – to hide the real destination of the link, while ensuring the active part looks benign.
- Using the ‘@’ symbol in the link address. Everything before the ‘@’ is treated as ‘user info’ by browsers, so attackers put something that looks reputable and trustworthy in this part, such as ‘office365’. The link’s actual destination comes after the ‘@’.
- Using web links with strange symbols, such as backslashes ‘\’, or dollar signs ‘$’, which are not normally used in URLs. These odd characters can disrupt how security tools read the address, helping a toxic link to slip unnoticed through automated detection systems.
- Creating a URL where the first part is benign and hyperlinked, and the second, malicious, part appears as plain text. Since the malicious part of the link is not connected to anything, it is not read properly by security tools.
“Security tools are increasingly effective at spotting and blocking malicious links in phishing emails, and this is driving attackers to continuously invent new and more sophisticated ways to disguise such links,” said Saravanan Mohankumar, Manager, Threat Analysis Team, at Barracuda. “Attackers use tricks with spaces, symbols, and web addresses that look trustworthy at first glance, but which make it much harder for people—and traditional security software—to spot that they lead to a dangerous website.”
According to Barracuda, the best defence against such new and emerging techniques is a multilayered approach, with various levels of security that can spot, inspect, and block unusual or unexpected activity. Solutions that include Artificial Intelligence and Machine Learning capabilities, both at the email gateway level and post-delivery, will ensure companies are well protected. As with all email-borne threats, security measures should be complemented by active, and regular, security awareness training for employees on the latest threats, and how to spot and report them.
Read the full blog about the Tycoon phishing kit on https://blog.barracuda.com/2025/09/03/threat-spotlight-tycoon-phishing-kit-hide-malicious-links.



