New Phishing Scam Uses Invisible Characters to Evade Email Filters

WASHINGTON — Cybersecurity researchers have uncovered a new phishing scam that uses invisible Unicode characters embedded in email subject lines to evade detection by automated filters, officials said.

The scam involves inserting soft hyphens—hidden characters normally used for text formatting—between every letter of the subject line. While these characters are invisible to recipients, they disrupt keyword-based security filters, allowing malicious emails to pass through undetected.

Attackers encode the subject lines using MIME encoded-word formatting with UTF-8 and Base64 encoding, weaving the invisible characters throughout the entire phrase. For example, a subject line reading “Your Password is About to Expire” may have a soft hyphen inserted between each letter, making it appear normal to the user but scrambled to security systems.

This technique is also applied within the body of the email, enabling both the subject and content to bypass detection. The emails typically urge recipients to act quickly by claiming their password is about to expire and direct them to fake login pages hosted on compromised domains designed to steal login credentials.

Phishing filters generally rely on recognizing suspicious words, phrases, and known malicious domains. By inserting invisible characters, attackers break up these recognizable patterns, rendering the text readable to humans but unreadable to automated systems. This loophole allows attackers to reuse traditional phishing templates effectively.

Experts warn that the method is easy to replicate, as the encoding tools are widely accessible and can be automated to produce large-scale phishing campaigns with minimal effort.

To protect against such scams, cybersecurity specialists recommend using password managers and enabling two-factor authentication, which can provide additional layers of security beyond email filtering.

This emerging threat highlights the ongoing challenges in email security as cybercriminals continuously adapt their tactics to circumvent existing protections.