Introduction
In the latter half of 2024 [1], there has been a notable rise in the use of “hidden text salting” techniques, also known as “poisoning,” by cybercriminals. This method allows them to bypass email security measures, posing significant challenges to existing spam filters and language detection systems.
Description
A significant increase in the use of “hidden text salting” techniques, also referred to as “poisoning,” has been observed in the latter half of 2024, allowing cybercriminals to circumvent email security measures [1]. This method enables attackers to bypass spam filters and language detection systems by embedding invisible characters, such as Zero-Width Space (ZWSP) and Zero-Width Non-Joiner (ZWNJ) [5], within the HTML source code of emails [1]. These tactics confuse parsers that depend on visible keywords.
Attackers employ various strategies, including the manipulation of HTML and CSS properties like “width: 0,” “display: none,” and “visibility: hidden,” effectively concealing content by rendering it invisible. They may also use the “overflow” property to prevent any overflow content from being displayed [4]. Additionally, the insertion of irrelevant language and hidden characters complicates detection efforts, as seen in phishing emails that impersonate reputable brands such as Wells Fargo and Norton LifeLock [3]. These emails utilize CSS properties and ZWSP characters to evade brand name extraction by security systems [1]. Notably, some phishing attempts have disguised English emails as French by embedding hidden French words [1], misleading language detection systems and complicating the efforts of Microsoft’s Exchange Online Protection (EOP) spam filter.
To combat these sophisticated threats [4], advanced filtering techniques are essential [2] [3] [4]. These should focus on detecting the misuse of CSS properties and analyzing the HTML structure for signs of content concealment [4], while also considering visual features alongside textual analysis [2]. A comprehensive email security solution that incorporates AI-powered detection methods is crucial for identifying and mitigating these risks [4]. Such solutions should leverage deep learning models and Natural Language Processing to analyze incoming emails and uncover both known and emerging threats [4].
Relevant MITRE Techniques associated with hidden text salting include:
- Phishing (T1566): Utilizing hidden text salting to create deceptive emails that mimic legitimate brands.
- HTML Smuggling (T1071.001): Evading detection by embedding irrelevant comments in base64-encoded HTML attachments.
- Content Spoofing (T1071.001): Confusing language detection and spam filters through the use of invisible characters.
Indicators of Compromise linked to this technique may include:
- Email: phishing@example.com
- URLs: www.wellsfargo.com [3], www.nortonlifelock.com
- File Name: malicious_email.html
- Other IoCs: Zero-Width Space (ZWSP) [3], Zero-Width Non-Joiner (ZWNJ) [1] [3] [5].
Conclusion
The rise of hidden text salting techniques underscores the evolving nature of cyber threats and the need for robust security measures. Organizations must adopt advanced filtering techniques and AI-powered solutions to effectively detect and mitigate these sophisticated attacks. As cybercriminals continue to innovate, staying ahead of these threats will require continuous adaptation and enhancement of security protocols.
References
[1] https://www.infosecurity-magazine.com/news/hidden-text-salting-disrupts-brand/
[2] https://www.sixgen.io/single-post/last-week-in-security-2025-01-27
[3] https://www.hendryadrian.com/seasoning-email-threats-with-hidden-text-salting/
[4] https://blog.talosintelligence.com/seasoning-email-threats-with-hidden-text-salting/
[5] https://www.securitylab.ru/news/555845.php
