Email Threat Radar - January 2026
Barracuda Networks, Thursday, January 22nd, 2026
The Tycoon phishing kit is using a technique that involves building fully scannable QR codes out of HTML table cells. This enables malicious QR codes to evade detection by traditional email tools. The attack starts with a phishing email containing very little text, often just a short instruction to scan the code using a mobile device.
Over the last month, Barracuda threat analysts have investigated the following email threats targeting organizations and their employees:
- Tycoon phishing kit using QR codes built out of HTML tables
- Callback phishing through Microsoft Teams
- Facebook-themed 'infringement warnings' using fake pop-ups
- How using (∕) instead of (/) can sneak malicious links past detection
Instead of inserting a normal picture of a QR code - something security systems can easily spot - the QR code is built out of tiny table cells using HTML (HyperText Markup Language, the basic language used to create web content). Each cell is colored either black or white, and together they form the pattern of a real QR code. When the email is opened in a mail app (like Outlook or Gmail), these cells line up visually, and the result looks just like a regular scannable QR code image.