Hackers Employ Hidden Text Salting Method to Trick Spam Filters & Evade Detection

Cisco Talos has observed a significant increase in the use of hidden text salting, also referred to as “poisoning,” in email threats during the latter half of 2024.

This technique, though relatively simple, has proven to be remarkably effective in bypassing email parsers, misleading spam filters, and evading detection mechanisms that rely on keyword recognition.

Hidden text salting leverages the intricacies of HTML and CSS to embed characters and comments into the source code of an email that remain invisible to recipients but hinder the effectiveness of detection systems.

Attack Examples

Hidden text salting enables attackers to obscure information by inserting irrelevant or invisible content within the HTML structure, complicating the task of email parsers and detection engines.

Cisco Talos highlighted several phishing campaigns utilizing this technique to impersonate trusted brands such as Wells Fargo, Norton LifeLock, and Harbor Freight.

For example, in a Wells Fargo phishing attack, the threat actors employed CSS properties such as width: 0 and overflow: hidden to conceal irrelevant characters in the email’s source code.

When rendered in a mail client, these manipulations rendered the inserted characters invisible, allowing the email to bypass detection.

Similarly, in a phishing attack impersonating Norton LifeLock, attackers embedded Zero-Width Space (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters within brand names to evade keyword-based detection systems.

These characters, though invisible to human viewers, are recognized by parsers as part of the email content.

Another notable incident involved a phishing email impersonating Harbor Freight, where hidden French words were embedded in the HTML to confuse language detection algorithms.

This manipulation led Microsoft’s Exchange Online Protection (EOP) to misclassify the email’s language as French, potentially bypassing filters reliant on linguistic profiling.

Additionally, hidden text salting has been used in HTML smuggling attacks.

In this approach, spear phishing emails with malicious attachments had base64-encoded payloads interspersed with irrelevant comments, making it difficult for detection engines to reconstruct and decode the payloads seamlessly.

Advanced Measures

Detecting and mitigating hidden text salting demands sophisticated filtering and detection approaches.

One effective measure involves enhancing filters to identify suspicious use of CSS properties such as “display: none” or “visibility: hidden,” which are commonly exploited to conceal malicious content.

Advanced systems could also analyze unusual nesting of HTML elements or excessive inline styling that may indicate potential attempts to hide information.

To combat this evolving threat, Cisco emphasized the importance of complementing conventional text-based detection strategies with visual analysis of email content.

Adopting AI-powered solutions for comprehensive email security is crucial.

These systems, powered by machine learning and natural language processing, can analyze multiple aspects of an email, detect emerging threats, and provide contextual telemetry for targeted risk assessments.

Tools like Secure Email Threat Defense incorporate these capabilities, extracting malicious patterns even from image-based or heavily concealed emails.

The rise of hidden text salting underscores the evolving sophistication of email-based threats.

Its ability to evade traditional defenses highlights the need for organizations to adopt proactive and multi-faceted email security solutions.

As attackers refine these techniques, relying on advanced detection technologies and adaptive strategies will be vital to safeguarding against such deceptive threats.

Also Read: