Phishing subjects with invisible characters: RFC 2047 + soft hyphen evasion, and how to hunt it
SANS ISC documented a phishing message whose Subject was split into multiple RFC 2047 “encoded-words,” with soft hyphen characters (U+00AD) inserted between letters to break keyword matches. Outlook renders these as normal-looking text, so users never see the obfuscation, but filters that don’t normalize Unicode or decode RFC 2047 first can miss it (SANS ISC). Soft hyphen is a format character that’s typically invisible except at line breaks (Unicode UAX #14; see “Use of Soft Hyphen”), and Microsoft has previously called out invisible Unicode (including U+00AD and U+2060) as a phish-evasion tactic in both bodies and subject lines (Microsoft Threat Intelligence, 2021).