
Attackers are using text salting—a decades-old technique that embeds hidden, harmless-looking words in emails—to fool AI-powered email filters while keeping messages readable to humans. Barracuda detected more than one million such phishing attacks since April and found that LLM-based security tools, unlike traditional filters, typically lack the ability to distinguish between visible and hidden text, making them vulnerable to the same tricks that older email gateways learned to block long ago.
Summaries like this, in your inbox every morning.
Sign up free →What happened
Cybersecurity firm Barracuda detected more than one million retail-themed phishing attacks using "text salting" since April. The technique hides random harmless words in emails via CSS cropping, text manipulation, or zero-font techniques to confuse AI-powered email filters while remaining invisible to human readers.
Why it matters
LLM-based and machine-learning email security tools process text without understanding whether it is visible or hidden to users, making them vulnerable to decades-old tricks that traditional secure email gateways have largely adapted to. Enterprises relying on AI alone for email security may be exposing employees to phishing attacks that pass through their filters.
What to watch
Barracuda recommends a layered approach to email security that checks sender reputation, authentication results, embedded URLs, HTML-rendering techniques, and differences between user-visible and hidden content rather than relying solely on keyword detection.
Barracuda, an email security company, issued a report on Thursday detailing how text salting—a venerable email evasion technique—continues to fool modern AI-powered email filters. Since April, Barracuda has detected more than one million retail-themed phishing attacks leveraging this method. Text salting works by embedding random, benign-sounding words throughout a malicious email to confuse automated scanning systems into misclassifying the message as legitimate. To prevent human readers from becoming suspicious, attackers employ three primary concealment methods: CSS cropping shrinks the visible window so hidden text remains off-screen; text manipulation shifts filler content beyond the visible area; and zero-font techniques insert misleading words in invisible font between visible phishing content. The result is an email that appears harmless and filled with gibberish to a machine but reads exactly as the attacker intended when opened by a person. Traditional secure email gateways have developed robust defenses against these tricks over the years, incorporating hidden-text removal and alerting mechanisms. LLM-based and machine-learning email security tools, however, have not kept pace. According to Barracuda, these systems are typically designed to process email text straightforwardly without understanding whether content is visible or hidden to the user. While they could theoretically be trained to distinguish visible from hidden text, most deployed tools apparently do not perform this task by default. Barracuda recommends that enterprises adopt a layered email security approach rather than relying solely on keyword detection, including checks of sender reputation, authentication results, embedded URLs, HTML-rendering techniques, and the detection of discrepancies between user-visible and hidden content.
Text salting is not a new attack vector; it has been used against traditional secure email gateways for years and is rooted in early 2000s spam-evasion techniques. Modern email security systems have largely adapted to these tactics by implementing defenses such as hidden-text removal, alerting on suspicious volumes of concealed content, and other countermeasures. However, the shift toward LLM-based and machine-learning security tools has created a regression: these newer AI systems process email content without inherent awareness of the distinction between visible and hidden text. While they can theoretically be trained to make this distinction, most deployed tools apparently lack this capability by default. The result is that attackers have found a way to exploit a gap in AI's capabilities that older, more specialized security software had already closed, exposing enterprises that have adopted AI-only or AI-dominant email filtering strategies to an old threat wearing new clothes.
AI-summarized, only the topics you pick — one digest a day via Email, Slack, or Discord.
Free · takes 30 seconds · unsubscribe anytime
No discussion yet for this article
Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.
Get Started FreeFree · takes 30 seconds · unsubscribe anytime
1 minute a day. The AI essentials.
200+ sources · Email / LINE / Slack