Hackers Use Hidden Text Salting to Bypass Spam Filters and Evade Detection

In the latter half of 2024, Cisco Talos identified a significant increase in email threats leveraging “hidden text salting,” also referred to as HTML poisoning.

This deceptive yet effective technique enables cybercriminals to bypass email parsers, confuse spam filters, and evade detection engines by embedding hidden, non-visible text into email content.

Email Threats Using Hidden Text Salting

The method relies on exploiting HTML and CSS properties to conceal elements that can interfere with keyword-based detection and filtering mechanisms.

Talos highlighted the wide adoption of this tactic for purposes such as brand impersonation, language manipulation, and HTML smuggling.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Hidden text salting capitalizes on the flexibility of HTML and CSS to insert characters or content that remain invisible when emails are rendered by clients but retain their textual properties in the backend.

One approach involves using CSS properties like display: inline-block with a width set to zero or applying overflow: hidden to conceal data.

For example, phishing campaigns impersonating brands such as Wells Fargo have embedded irrelevant characters between letters to disrupt brand name extraction by detection systems.

Another variant identified involves inserting invisible Unicode characters like Zero-Width Space (ZWSP) or Zero-Width Non-Joiner (ZWNJ) between text strings techniques observed in emails impersonating organizations like Norton LifeLock.

Despite being undetectable to the human eye, these characters affect how parsers analyze the text, effectively bypassing spam filters.

In some cases, attackers utilized hidden text salting to confuse language-detection systems.

Talos noted an example where a phishing email targeting a victim in English was identified as French by Microsoft’s Exchange Online Protection (EOP) service due to embedded hidden French text.

Attackers leveraged CSS properties to hide these additional linguistic elements, tricking language-based detection mechanisms.

HTML smuggling was also observed as a significant use case for this technique.

Attackers inserted irrelevant comments within base64-encoded characters in email attachments to obfuscate malicious payloads.

This approach hindered parsers from accurately piecing together and decoding the content, effectively evading detection systems.

To counteract the growing threat of hidden text salting, advanced filtering techniques are essential. Detection systems must be designed to examine suspicious CSS properties like visibility: hidden and display: none.

Additionally, analyzing structural anomalies within HTML, such as excessive inline styles or unusual element nesting, can uncover attempts to conceal malicious text.

Organizations may also benefit from incorporating visual analysis into email threat detection, as reliance solely on text-based methods leaves room for exploitation.

AI-powered solutions like Secure Email Threat Defense offer comprehensive protection by leveraging deep learning and Natural Language Processing (NLP) to monitor email content, including text and images, for hidden threats.

Such systems enhance resilience against evolving email-based threats by providing detailed insight into malicious techniques, pinpointing business risks, and categorizing vulnerabilities.

As cybercriminals continue to refine their evasion methods, sustained advancements in email security technology remain critical to mitigating the risks posed by tactics like hidden text salting.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar