Cybercriminals are deploying increasingly sophisticated tactics to bypass email security systems, including QR codes built from HTML tables and fake Microsoft Teams notifications, according to Barracuda threat analysts.
The Tycoon phishing kit has introduced a technique that constructs scannable QR codes using HTML table cells rather than traditional image files, enabling malicious codes to evade detection by conventional email security tools. The method arranges individual table cells in black-and-white patterns that form functional QR codes when displayed in email applications.
Barracuda threat analysts reported the attacks typically begin with phishing emails containing minimal text, often instructing recipients to scan the code using a mobile device. Because no actual image file exists, automated security systems fail to recognise the threat.
“Instead of inserting a normal picture of a QR code – something security systems can easily spot – the QR code is built out of tiny table cells using HTML,” the January 2026 Email Threat Radar report said.
When scanned, the codes direct victims to phishing pages created through the Tycoon Phishing-as-a-Service platform.
A separate campaign exploits Microsoft Teams by adding targets to groups with urgent-sounding names and presenting fake invoices or unauthorised charge notices. The attackers provide fraudulent support numbers to steal credentials and payment details.
The campaign was first reported in December 2025 and relies on the trust users place in Microsoft Teams to increase success rates. The attacks bypass security defences through social engineering rather than technical vulnerabilities.
Facebook-themed phishing scams have also emerged since late September 2025, warning recipients of copyright infringement through messages that mimic legitimate legal warnings. The emails include links to phishing forms disguised as browser windows where attackers capture login credentials.
Threat analysts have additionally identified attackers using division slash characters (∕) instead of standard forward slashes (/) in malicious links. The Unicode character, primarily used in mathematical notation, creates a barely noticeable difference that causes traditional automated security systems to fail.
Barracuda recommends organisations implement multifactor authentication, educate employees about phishing tactics, and avoid scanning unexpected QR codes. Users should verify sender legitimacy and examine links closely before clicking, particularly in unsolicited emails.
Security settings for collaboration tools such as Microsoft Teams should prevent automatic additions to external groups, and organisations should extend security solutions to cover these platforms.
The report emphasises the importance of keeping email and web security tools updated to detect obfuscated URLs and encourages employees to report suspicious communications through established channels.
