Over the past month, we’ve seen several clever and increasingly subtle phishing techniques circulating in the wild. These aren’t the obvious “bad spelling and strange links” emails many people expect — they’re designed to blend into normal, trusted workflows.

The examples below are based on recent investigations by Barracuda threat analysts and provide a useful snapshot of how attackers are adapting their tactics to bypass traditional security controls and human suspicion.

QR Code Phishing Using HTML Tables (Tycoon Phishing Kit)

What’s happening

One of the more interesting techniques involves the Tycoon phishing kit, which now generates QR codes using HTML tables instead of image files.

Rather than embedding a normal QR code image (which email security tools can often detect), attackers build the QR code using hundreds of tiny black-and-white table cells written in HTML. When the email is opened in Outlook or Gmail, these cells visually align to form a fully scannable QR code — even though there is no actual image or clickable link.

The email itself usually contains very little text, often just a short instruction encouraging the recipient to scan the code using their phone.

Because there’s no image attachment, no obvious URL, and no traditional link, many automated security tools see this as harmless formatting rather than a threat. When scanned, the QR code directs the victim to a phishing page created using the Tycoon Phishing-as-a-Service (PhaaS) platform.

How to stay safe

• Avoid scanning QR codes in emails you weren’t expecting
• Be cautious of emails with minimal text and urgent instructions
• Preview the destination URL before opening it — most phones allow this
• Educate staff about QR-code-based phishing
• Use multi-factor authentication (MFA)

Callback Phishing via Microsoft Teams

What’s happening

This campaign, first observed in December 2025, exploits trust in Microsoft Teams rather than email.

Attackers add victims to Teams groups with urgent or official-sounding names. Inside the group, they post messages claiming there is an unpaid invoice, auto-renewal charge, or unauthorised transaction. To “fix” the issue, the recipient is instructed to call a phone number — which is controlled by the attackers.

Once the call is made, attackers attempt to extract credentials, payment details, or other sensitive information. Because this technique relies on social engineering and trusted platforms, it can bypass many email-focused security controls.

How to stay safe

• Review Teams settings to prevent automatic addition to unknown external groups
• Train staff to treat urgent payment requests with caution
• Provide a clear internal process to verify financial or account-related requests
• Use MFA
• Extend security monitoring to collaboration tools

Facebook-Themed “Infringement Warning” Emails with Fake Browser Windows

What’s happening

This phishing campaign impersonates legitimate Facebook copyright or legal warning emails. Victims are told they’ve infringed Facebook policies and must review “details of infringement.”

Clicking the link opens what looks like a normal browser window asking the user to log in to Facebook. In reality, it’s a static, fake webpage designed to capture login credentials.

The visual realism of the fake browser window makes the scam convincing, especially for users who manage business or advertising accounts.

How to stay safe

• Be cautious of emails referencing legal issues or account violations
• Verify the sender independently before clicking links
• Use MFA on social media accounts
• Educate staff on realistic phishing techniques

Sneaking Malicious Links Past Filters Using Lookalike Characters

What’s happening

Threat analysts have identified attackers using the division slash (∕) instead of the standard forward slash (/) in URLs.

While the difference is almost invisible to humans, automated security systems may fail to recognise these links as malicious. As a result, the links can bypass detection and redirect victims to unexpected or harmful destinations.

How to stay safe

• Examine links carefully, especially in unexpected emails
• Avoid clicking links that behave oddly or redirect unexpectedly
• Keep email and web security tools updated
• Encourage staff to report suspicious emails

A CSB Perspective

These examples highlight a broader trend: phishing is becoming more creative, more contextual, and harder to spot.

Attackers are deliberately targeting:

• Trusted platforms (Teams, Facebook)
• New interaction patterns (QR codes, chat messages)
• Subtle technical gaps (lookalike characters, HTML tricks)

The goal isn’t to scare users — it’s to quietly bypass both human judgment and automated defences.

The most effective defence remains a combination of:

• User awareness
• Strong authentication
• Security controls that extend beyond email
• Clear reporting and verification processes