Cybercriminals have been spotted using HTML/CSS and Unicode tricks to bypass tools meant to block malicious emails, marking a new twist in phishing techniques, security researchers report.

Attackers are continuously testing enterprise security systems and exploring new ways to get through. Some rely on hidden text and zero-font attacks, in which they put invisible characters between the letters of an email so it doesn’t trigger email defenses with phrases like “password expired” or “Office 365.” These malicious emails appear legitimate to any unsuspecting user.