Filter articles

Weekly Cyber Briefing 04.11.2025

Weekly Cyber Briefing: 03 November 2025

University of Pennsylvania hackers release 1.2 million donor records; Chinese manufacturer can remotely disable Norway’s electric buses; Danger: Phishing! (hidden characters can bypass cybersecurity defence)

Author: Nick Harris, CISO, Assured

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris.

University of Pennsylvania hackers release 1.2 million donor records

A hack at the University of Pennsylvania (one of the US’ Ivy League institutions) involved gaining access to an employee’s SSO account, opening a gateway to Penn’s VPN, Salesforce data, Qlik analytics platform, SAP business intelligence system, and SharePoint files.

With this access granted, the intruder used an internal email address to send threatening emails to their mailing list hosted on Salesforce Marketing Cloud, and divulged a data breach of 1.2 million donors and internal documents. The hacker has since published a 1.7 GB archive from its SharePoint and Box accounts.

The attack group isn’t yet publicly known.

Assured’s CISO Reacts:

The employee SSO compromise, which served as the actor vector for this attack, highlights the importance of closely securing and managing identities. This can be difficult in educational establishments where BYOD on campus adds a layer of risk, as not every device connecting to the network can be trusted. We recommend sensible alerts for risky sign-ins and conditional access policies led by MFA.

Danger: Phishing! (hidden characters can bypass cybersecurity defence)

A new phishing method is spreading that hides invisible Unicode characters (like U+00AD) inside email subject lines and bodies. These characters can bypass security filters, allowing phishing emails to slip through undetected.

Even with awareness training, the risk of someone clicking a link or entering their credentials remains increasingly high due to these new evolved methods used by cyber criminals.

Assured’s CISO reacts:

To defend against this new phishing method, update email filters to detect invisible or non-printable Unicode characters. You should also configure gateways to check encoded headers (such as Base64 or UTF-8) for hidden obfuscation patterns.

This is how you can apply this (using MS Defender):

Use mail-flow (transport) rules to detect the soft-hyphen (U+00AD) in subjects/headers

A — EAC / Exchange Admin Center (quick and safe)

  • Create (or refine) a mail-flow (transport) rule that inspects the Subject header for questionable encoding patterns:
    • Condition: Subject header includes encoded-word structure (e.g., =?UTF-8?B?) and the Base64 decoded text contains high frequency of soft-hyphen (U+00AD) or other invisible Unicode characters.
    • Test the rule in audit/log only mode initially to avoid false positives.
  • Similarly, inspect message bodies for invisible characters (such as soft hyphens and zero-width spaces). Example: condition where message body “matches patterns” for invisible Unicode sequences (e.g., \u00AD, \u200B, \u200C, etc) combined with suspicious phrases like “password is about to expire”, “urgent action required”, “webmail login”, etc.

B — PowerShell / regex (more flexible)

  • Use a transport rule that uses Regex to match patterns in the subject (Exchange supports RegEx in mail flow rules). Example (illustrative — TEST in a lab before production):

# Example (illustrative) – test first in a non-production test tenant
New-TransportRule -Name “Detect-SoftHyphen-Subject” `
-SubjectMatchesPatterns ‘.*\u00AD.*’ `
-QuarantineMessageReasonText “Suspected obfuscated subject (soft hyphen)” `
-StopRuleProcessing $true

Notes & caveats

  • Exchange Online supports regex in transport rules; however exact escape sequences and Unicode escape support can vary by environment. If \u00AD doesn’t match in your tenant, you can paste the literal U+00AD character into the pattern or use patterns that look for base64 / encoded-word patterns (e.g. =\?UTF-8\?B\?.* combined with other checks). Test thoroughly — mis-configured regex can create false positives or disrupt mail flow.

Hunting & triage: search for already-delivered messages containing U+00AD

  • Use Threat Explorer / Real-time detections and Advanced hunting to look for messages that contain invisible characters in the Subject or headers.
    • Threat Explorer (Explorer) is good for interactive investigations of mail/phishing views. Microsoft Learn+1
    • Advanced hunting (KQL) — query the EmailEvents table for subjects that contain the soft hyphen or unusual MIME patterns. Example KQL (illustrative):

// Example: search EmailEvents for the soft hyphen in Subject
EmailEvents
| where Subject contains “\u00AD” or Subject contains “­”    // second token is literal soft hyphen (copy/paste)
| project Timestamp, TenantId, SenderFromAddress, RecipientToAddress, Subject, NetworkMessageId
| sort by Timestamp desc

Notes

  • KQL string literal may require inserting the literal soft-hyphen character; test in Advanced Hunting UI. The EmailEvents schema is the correct table for email metadata.

Chinese manufacturer can remotely disable Norway’s electric buses

This week, Oslo’s public transportation agency, Ruter, found that Chinese electric buses could be remotely disabled by their manufacturer. Backdoor control capabilities are, of course, frowned upon in the Western world.

The issue was resolved by disabling web connectivity on the buses by removing SIM cards from the onboard modems.

This news reminds us of a story from May 2025, when communication devices were found inside solar panel power inverters (not listed in product documents) that could be used to skirt firewalls and switch off remotely.

Assured’s CISO reacts:

These examples talk to testing the supply chain of critical products and, if the risk warrants it, testing the products themselves, as the Norwegians did with the electric buses. This topic was high on the agenda of this week’s 8th EU Cyber Security Energy Forum in Brussels to discuss ways to strengthen resilience and prevent attacks against Europe’s power grid. We recommend that those in the energy sector consider linking with the European Network for Cyber Security (ENCS), the Association of European Distribution System Operators (E.DSO), and the European Energy – Information Sharing & Analysis Centre (EE-ISAC) in light of these risks.

Topics

Latest articles

Be an insider. Sign up now!