Cybercriminals are increasingly employing a technique known as "hidden text salting" to bypass spam filters and evade detection. This method, which saw a surge in usage during the latter half of 2024, poses a significant threat to organizations relying on traditional email defense mechanisms. Hidden text salting, also referred to as "poisoning," is a deceptively simple yet effective technique leveraging features of Hypertext Markup Language (HTML) and Cascading Style Sheets (CSS) to embed non-visible elements within the source code of emails.
Security experts at Cisco Talos discovered these hidden elements are crafted to confuse email parsers, spam filters, and detection engines reliant on keywords, all the whilst remaining invisible to the recipient when the email renders on their client. The technique has proven effective for various objectives, including brand impersonation and evading keyword-based filters.
Attackers employ various methods to implement hidden text salting:
- CSS Manipulation: Using properties like "display:inline-block" and "overflow:hidden" to conceal malicious content.
- Invisible Characters: Introducing Zero-Width Space (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters between letters of brand names or keywords.
- HTML Comments: Adding irrelevant comments between base64-encoded characters within HTML attachments.
- Soft Hyphens: Utilizing Unicode Soft Hyphens to separate letters, which are invisible to users but recognized by Secure Email Gateways (SEGs).
This diverse array of techniques proves effective due to their simplicity and the flexibility of HTML and CSS. For example, phishing campaigns targeting brands like Wells Fargo have been seen including irrelevant characters between letters, disrupting the identification process of brand names by detection systems. Similarly, one campaign impersonated organizations such as Norton LifeLock, inserting invisible Unicode characters like ZWSP or ZWNJ, which negatively affect how parsers analyze the text and successfully bypass spam filters.
One notable tactic involves confusion of language detection systems: Cisco Talos highlighted instances where emails targeting English speakers were misclassified as French by Microsoft’s Exchange Online Protection (EOP) service. This misclassification resulted from hidden French text embedded within the emails, effectively tricking language-based detection mechanisms.
Hidden text salting also plays a significant role in tactics like HTML smuggling. Attackers insert irrelevant comments within base64-encoded characters in email attachments, frustrating parsers and preventing them from correctly decoding content. This obfuscation can allow malicious payloads to bypass detection systems entirely.
The increasing use of hidden text salting has made traditional security measures inadequate. Systems relying on automated keyword detection, brand name recognition, or standard language identification are particularly vulnerable, signaling the urgent need for enhanced security strategies.
To counteract the growing threat posed by hidden text salting, experts recommend several advanced filtering techniques:
- Advanced Filtering Techniques: Developing more sophisticated filters capable of identifying suspicious use of CSS properties and unusual HTML structures.
- Visual Analysis: Incorporate visual characteristics of emails during the detection process, moving beyond simple text-based analysis.
- AI and Machine Learning: Employing advanced algorithms capable of detecting patterns and anomalies indicative of hidden text salting.
- Regular Updates: Continuously updating security systems to recognize new variations of hidden text salting techniques.
Organizations must adapt to rapidly changing threats posed by cybercriminals who continuously refine their evasion methods. Implementing AI-powered solutions, such as those offered by Secure Email Threat Defense, provides comprehensive protection against hidden threats by recognizing both text and image-related risks. These sophisticated tools, leveraging deep learning and Natural Language Processing (NLP), allow for detailed insight and systemic monitoring to preemptively identify malicious tactics.
With the threat of hidden text salting showing no signs of abatement, the role of advanced email security technology becomes ever more pivotal for organizations of all sizes. This shift not only fortifies defenses against current tactics but ensures resilience against the novel challenges brought by cunning and innovative cybercriminals. The architecture of email security must evolve to stay one step ahead, safeguarding users from increasingly complex phishing threats.