A recent phishing campaign has been identified using invisible characters to sneak past email security filters, according to Jan Kopriva from the SANS Internet Storm Center.
The attackers insert soft hyphens into the subject line—specifically in the phrase “Your Password is About to Expire.” While these characters disrupt keyword-based detection in security tools, they remain invisible to most email clients. To users, the subject line appears completely normal.
Kopriva explains that although soft hyphens are not technically invisible, “Outlook as well as most other e-mail clients don’t render them as visible text in most cases.” By combining these characters with the technique of splitting the subject into multiple MIME-encoded words, the attackers are intentionally trying to evade automated filters designed to catch malicious messages.
The body of the email is also packed with hidden soft hyphens. Humans will read a typical password-reset prompt, but security systems see text broken apart by invisible characters—making detection much more difficult.
Kopriva notes that while the use of invisible characters in phishing emails is fairly common, “it is quite unusual to see it also applied to the subject of a message.”
If a user clicks the link inside the email, they’re redirected to a fake login page created to harvest their credentials.
This campaign highlights how attackers constantly evolve their tactics to bypass defenses and target users directly. AI-powered security awareness training can help organizations build resilience against these threats. KnowBe4 equips employees to recognize and avoid social engineering attacks, helping more than 70,000 organizations worldwide strengthen their security culture and reduce human risk.
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.
How we help
If you need to know more about Phishing Emails Use Invisible Hyphens to Avoid Detection, you’re in the right place, we’re here to help! DTA is Quest Software’s distributor, especially in Singapore and Asia, our technicians have deep experience on the product and relevant technologies you can always trust, we provide this product’s turnkey solutions, including consultation, deployment, and maintenance service.
Click here and here and here to know more: https://dtasiagroup.com/knowbe4/
