Old Text-Salting Tactics Are Challenging Some AI-Powered Spam Filters

Attackers are reviving a long-used email evasion technique to get phishing messages past some machine-learning and large language model (LLM)-based security systems, according to cybersecurity company...

Attackers are reviving a long-used email evasion technique to get phishing messages past some machine-learning and large language model (LLM)-based security systems, according to cybersecurity company Barracuda.

Barracuda said it identified more than one million retail-themed phishing emails using “text salting” since April. The method adds large amounts of apparently harmless or irrelevant wording to a malicious message. The extra content is intended to dilute signals that automated systems use when deciding whether an email is suspicious.

The technique has been used against conventional secure email gateways for years. In current campaigns, attackers are also taking steps to keep the filler material out of sight of human recipients. Barracuda identified several common approaches:

  • CSS cropping: HTML limits the visible area so the additional text is hidden from the reader.
  • Text positioning: Content is moved outside the portion of the message normally displayed on screen.
  • Zero-font techniques: Extra terms are inserted using formatting that makes them invisible, while automated analysis may still process them.

These methods can create a gap between what a security model analyzes and what the recipient sees. A message may appear to contain routine or legitimate content to an AI system after the filler is included, while the visible email still presents the phishing lure designed by the attacker.

Traditional email defenses have developed ways to detect or strip hidden content, but Barracuda said some AI-driven systems are not consistently distinguishing between visible text and underlying HTML or source code. LLMs are often configured to analyze the text and code they receive without automatically determining whether that material is visible to a user.

The company recommends that organizations avoid relying on keyword or AI classification alone. A layered program should also consider sender reputation, authentication results, links and other embedded content, HTML rendering behavior, and discrepancies between visible and hidden portions of a message.

Text salting illustrates that established attack techniques remain relevant as email defenses evolve. Organizations should test how their filtering systems handle manipulated HTML and obscured content, while maintaining additional controls for suspicious links, senders, and authentication failures.