Hackers Using Hidden Text Salting Technique To Confuse Spam Filters & Evade Detection

Cybercriminals are increasingly employing a technique known as “hidden text salting” to bypass spam filters and evade detection.

This method, which saw a surge in usage during the latter half of 2024, poses a significant threat to organizations relying on traditional email defense mechanisms.

Hidden text salting, also referred to as “poisoning,” is a deceptively simple yet effective technique that leverages features of Hypertext Markup Language (HTML) and Cascading Style Sheets (CSS) to embed non-visible elements within the source code of emails.

Besides this, security experts at Cisco Talos discovered that these hidden elements are designed to confuse email parsers, spam filters, and detection engines that rely on keywords, while remaining invisible to the recipient when the email is rendered in their client.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Technical Implementation

Attackers employ various methods to implement hidden text salting:-

1. CSS Manipulation: Using properties like “display:inline-block” and “overflow:hidden” to conceal malicious content.
2. Invisible Characters: Inserting Zero-Width Space (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters between letters of brand names or keywords.
3. HTML Comments: Adding irrelevant comments between base64-encoded characters in HTML attachments.
4. Soft Hyphens: Utilizing Unicode Soft Hyphens to separate letters, which are invisible to users but recognized by Secure Email Gateways (SEGs).

This technique has proven effective in multiple ways. By inserting hidden characters between the letters of well-known brand names, attackers can evade filters designed to detect impersonation attempts.

Hidden text in different languages can also confuse language detection systems, as seen when Microsoft’s Exchange Online Protection (EOP) misclassified an English email as French due to concealed French text.

Additionally, the insertion of irrelevant content disrupts keyword-based filters, making it harder to identify suspicious phrases commonly associated with phishing attempts.

Traditional security measures struggle to counter hidden text salting effectively. Tools relying on automated keyword detection, brand name recognition, or standard language identification are particularly vulnerable to this technique.

The simplicity and versatility of hidden text salting make it a formidable challenge for email security providers.

To combat this emerging threat, security experts recommend:-

1. Advanced Filtering Techniques: Developing more sophisticated filters that can identify suspicious use of CSS properties and unusual HTML structures.
2. Visual Analysis: Incorporating visual characteristics of emails into the detection process, rather than relying solely on text-based analysis.
3. AI and Machine Learning: Employing advanced algorithms to detect patterns and anomalies that may indicate hidden text salting.
4. Regular Updates: Continuously updating security systems to recognize new variations of hidden text salting techniques.