Hidden text "salting" is letting hackers craft devious email attacks to evade detection

(Image credit: Image by Muhammad Ribkhan from Pixabay)

Security researchers are warning about "hidden text salting" in emails
Hackers can hide parts of the text to confuse email scanners
The hidden text helps the email pass the scans and land in the inbox

Hackers are increasingly using “hidden text salting”, or “poisoning” techniques, to work around email security measures and get phishing messages to land in people’s inboxes.

A new in-depth guide published by cybersecurity researchers from Cisco Talos outlines how cybercriminals are abusing HTML and CSS properties in email messages, setting the width of some elements to 0, and using the “display: hidden” feature to hide some content from the victims. They are also inserting zero-width space (ZWSP) and zero-width non-joiner (ZWNJ) characters, and ultimately hiding the true email content, by embedding irrelevant language.

As a result, email security solutions, spam filters, and brand name extractors get confused, and the emails that would otherwise end up in the spam folder, make it directly to the inbox.

Advanced filtering

In its writeup, Cisco Talos has given multiple examples, including one in which attackers hid French words in the email’s body. This confused Microsoft’s Exchange Online Protection (EOP) spam filter which ultimately let the message pass.

In another example, Cisco Talos said threat actors were using CSS properties and ZWSP characters to hide email content, successfully mimicking Wells Fargo, and Norton LifeLock.

To tackle this strategy, the researchers suggested IT teams adopt advanced filtering techniques that scan the structure of HTML emails, rather than just their contents. An email security solution could, thus, look for extreme use of inline styles or CSS properties such as “visibility: hidden”. Deploying AI-powered defenses is also recommended.

Email remains one of the top attack vectors, due to its simplicity, omnipresence, and low cost for a large-scale operation. It also owes its popularity to the fact that it attacks the email security chain on its weakest link - the human.

7 myths about email security everyone should stop believing
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.