Two days ago the Bitcoin threats from Outlook.com started arriving in the Windows-1256 charset, which is Arabic, but including Latin characters. The text has Arabic character 9D all over the place. 9D is "ZERO WIDTH NON-JOINER" so it takes up no space and the English language text looks normal. But it breaks pattern matching.
That ALL of the Bitcoin threats from outlook.com changed the evening of October 1 means they are all from one source. Sample of the mime part header and a raw paragraph: --_000_AM0PR04MB488298EB0071C1677D7C5BA9BAE90AM0PR04MB4882eurp_ Content-Type: text/plain; charset="windows-1256" Content-Transfer-Encoding: quoted-printable Yo=9Du wi=9Dll ha=9Dv=9De two diff=9Derent so=9Dluti=9Do=9Dns. Why dont w= =9De check o=9Dut =9Dea=9Dch on=9De o=9Df thes=9De o=9Dpti=9Dons in deta=9D= i=9Dls: Joseph Brennan Columbia U I T
