A new phishing campaign uses hidden Unicode characters in email subject lines to sneak past security filters and trick recipients.
According to Cyber Press, security researchers have discovered a phishing tactic where attackers embed invisible Unicode characters, specifically soft hyphens, into email subject lines using MIME encoding. The method is designed to evade keyword-based detection tools and has been observed targeting organizations globally.
The attack leverages the MIME encoded-word format (as defined in RFC 2047), inserting soft hyphens (Unicode U+00AD) between letters. Though undetectable by the recipient, this manipulation disrupts how filters detect suspicious phrases, allowing malicious emails to bypass protections.
The tactic was observed in emails with subject lines encoded in Base64, which, once decoded, read as familiar security alerts such as “Your Password is About to Expire.” However, soft hyphens were inserted between each character, breaking up the keywords used by filtering systems.
While the use of invisible characters in message bodies has been documented since at least 2021, applying this to subject lines is less common and more difficult to detect. Microsoft previously noted similar techniques in body content but stated that subject line manipulation poses new detection challenges.
The phishing email in question also included soft hyphens in the message body and directed recipients to a spoofed login page hosted on a compromised domain, designed to harvest credentials. The attackers’ strategy combined subject obfuscation, body manipulation, and social engineering an increasingly layered approach to bypass traditional defenses.
Microsoft Threat Intelligence has reported on invisible Unicode techniques in phishing messages for several years, noting their use in evading keyword scans. Researchers analyzing the new method recommend updating detection rules to decode MIME-encoded headers before applying filters, and to flag excessive use of formatting control characters like soft hyphens.
The use of invisible Unicode characters in email subject lines reveals how phishing attacks continue to adapt faster than static security tools. Attackers are no longer relying only on social engineering; they’re now exploiting the technical blind spots of email infrastructure itself. Manipulating subject line encoding allows malicious messages to slip past filters and reach inboxes while appearing completely normal to human recipients.
Paubox recommends Inbound Email Security to combat these subtle and highly evasive techniques. Its generative AI analyzes message behavior, structure, and tone rather than relying on keyword-based rules. That deeper contextual analysis helps detect hidden obfuscation patterns, ensuring phishing emails that disguise their intent through encoding tricks are intercepted before delivery.
A soft hyphen is a Unicode character (U+00AD) that is typically invisible unless a line break occurs. Attackers use it to split up keywords in a way that disrupts automated detection without affecting how the email appears to the user.
MIME encoded-word format is a standard used to include non-ASCII characters in email headers. In this case, attackers used it to insert invisible characters in subject lines while encoding the entire line in Base64.
Subject lines are a key trigger for spam and phishing filters. Manipulating the subject line can prevent emails from being flagged before recipients even open them, increasing the success rate of phishing attempts.
Detection rules should be updated to decode MIME-encoded subject lines before filtering and scan for unusual patterns such as excessive use of soft hyphens or other control characters.
They should implement layered email security that includes header decoding, Unicode character detection, and behavioral analysis of email links and content. Educating users on phishing tactics also remains essential.