While reviewing malicious messages that were delivered to our handler inbox over the past few days, I noticed that the \u201csubject\u201d of one phishing e-mail looked quite strange when displayed in the Outlook message list\u2026<\/p>\n
As you can see, once the message was open, the subject was displayed as a normal, readable text. This suggested that some invisible characters were likely present\u2026<\/p>\n A quick look at the e-mail headers proved this to be the case. The subject was composed of the following two lines:<\/p>\n This formatting meant that the subject was included in the message in a MIME \u201cencoded-word\u201d format, which is described in RFC 2047 as having the following structure[1<\/a>]:<\/p>\n In our case, the subject therefore consisted of two encoded words containing text written in the UTF-8 character set, which has been Base64 encoded.<\/p>\n Once both lines were decoded, one could clearly see that an invisible character was indeed being used in multiple places in the strings \u2013 specifically the soft hyphen, which has a Unicode code point U+00AD, and which is more commonly used as the ­ HTML entity[2<\/a>].<\/p>\n Although soft hyphens aren\u2019t \u2013 strictly speaking \u2013 invisible, Outlook as well as most other e-mail clients don\u2019t render them as visible text in most cases.<\/p>\n The use of the soft hyphen character \u2013 combined with splitting the subject into multiple MIME encoded-words \u2013 was clearly intended as an attempt at bypassing e-mail filtering mechanisms that are supposed to automatically detect potentially malicious messages.<\/p>\n Why is this approach noteworthy?<\/p>\n Because although the use of invisible characters in phishing e-mails in general (and of the use of the \u201cshy\u201d character in particular[3<\/a>]) is quite common when it comes to making the contents of e-mail messages less readable to security solutions, it is quite unusual to see it also applied to a subject of a message.<\/p>\n In fact, the only allusion to this technique I\u2019ve been able to find with a quick Google search was a general mention in an article by Microsoft Threat Intelligence from 2021, which states that \u201cIn several observed campaigns, attackers inserted invisible Unicode characters to break up keywords in an email body or subject line<\/u> in an attempt to bypass detection and automated security analysis\u201d[4<\/a>].<\/p>\n Since the use of invisible characters in e-mail subject lines doesn\u2019t seem to be widely known, I have therefore decided that it would be worthwhile to dedicate this short diary to it.<\/p>\n It should be noted that the subject line wasn\u2019t the only place where the soft hyphen character was used in the message \u2013 it was also heavily present in the text itself, where it was used to break up individual words\u2026<\/p>\n For completeness\u2019s sake, we should also mention that the link in the phishing pointed to the URL hxxps[:]\/\/stopsoriasis[.]co[.]il\/Webmail\/webmail.php?email=[recipient@domain.tld], where a generic \u201cwebmail login\u201d credential stealing page was placed\u2026<\/p>\n [1] https:\/\/datatracker.ietf.org\/doc\/html\/rfc2047<\/a> ———– (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/25-10-28-shy-subject.png?ssl=1\")
<\/a><\/p>\n\n
Subject: =?UTF-8?B?WcKtb3XCrXIgUMKtYXPCrXN3wq1vwq1yZCBpwq1zIEHCrWLCrW91dCA=?=\n\t=?UTF-8?B?dMKtbyBFwq14wq1wwq1pcsKtZQ==?=<\/code><\/pre>\n\n
encoded-word = \"=?\" charset \"?\" encoding \"?\" encoded-text \"?=\"<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/25-10-28-subject-decoded.png?ssl=1\")
<\/a><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/25-10-28-contents.png?ssl=1\")
<\/a><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/25-10-28-page.png?ssl=1\")
<\/a><\/p>\n
\n[2] https:\/\/en.wikipedia.org\/wiki\/Soft_hyphen<\/a>
\n[3] https:\/\/isc.sans.edu\/diary\/31626<\/a>
\n[4] https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/08\/18\/trend-spotting-email-techniques-how-modern-phishing-emails-hide-in-plain-sight\/<\/a><\/p>\n
\nJan Kopriva
\nLinkedIn<\/a>
\nNettles Consulting<\/a><\/p>\n
\n
<\/BR><\/p>\n