Full Report
Turns out decades-old email tricks still work against some LLM-powered email filters
Analysis Summary
# Tool/Technique: Text Salting
## Overview
Text salting is an adversarial technique used to bypass email security filters by inserting large amounts of "harmless" or benign text into a malicious email. The goal is to dilute the "maliciousness" score of the message, confusing content analysis engines—specifically modern Large Language Models (LLMs) and Machine Learning (ML) classifiers—into categorizing the phishing attempt as legitimate or "neutral" communication.
## Technical Details
- **Type:** Evasion Technique / Obfuscation
- **Platform:** Email Systems (SaaS/On-prem), LLM-based Security Filters
- **Capabilities:** Bypassing content-based detection, misleading AI classification, hiding malicious intent from automated scanners.
- **First Seen:** Early 2000s (Observed targeting LLMs specifically since approx. April 2026).
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information**
- **T1566 - Phishing**
- **T1204.001 - User Execution: Malicious Link (Target Outcome)**
## Functionality
### Core Capabilities
- **Content Dilution:** Floods the email body with benign, random, or retail-themed words to lower the density of malicious keywords (e.g., "password," "login," "invoice").
- **AI Confusion:** Exploits the way LLMs process plain text and source code; because many LLMs do not inherently distinguish between what is rendered to a human and what is hidden in the HTML, they process the "salt" as part of the primary message intent.
### Advanced Features (Hiding Methods)
- **CSS Cropping:** Sets a restrictive visible window (div/span) via CSS so the human recipient only sees the phishing lure, while the scanner sees the hidden benign text.
- **Zero Font Technique:** Inserts words or characters with a font size of zero. This makes the text invisible to the user but fully readable by the automated parser.
- **Off-Screen Positioning:** Uses CSS absolute positioning to move "salty" text far outside the visible area of the user's email client.
## Indicators of Compromise
- **File Hashes:** N/A (Technique-based)
- **File Names:** N/A
- **Registry Keys:** N/A
- **Network Indicators:** Often associated with retail-themed phishing domains (e.g., spoofed brand sites).
- **Behavioral Indicators:**
- Presence of high ratios of hidden vs. visible text in HTML bodies.
- Large blocks of nonsensical or random words contained within `<span>`, `<div>`, or `<p>` tags with `display:none` or `font-size:0`.
## Associated Threat Actors
- **General Cybercriminals:** Widely used by various unclassified phishing campaigns.
- **Retail-Themed Phishing Actors:** Specifically noted for over 1 million attacks since April 2026.
## Detection Methods
- **HTML Rendering Analysis:** Comparing the text rendered by a browser-like engine against the raw text extracted by the LLM parser.
- **Hidden Text Detection:** Flagging emails that contain "Zero Font" or CSS-based text hiding techniques.
- **Statistical Disparity:** Analyzing the discrepancy between the "apparent" intent of the email and the total word count/lexical diversity.
- **Signatures:** Identification of common "salt" word lists or repeated random string patterns.
## Mitigation Strategies
- **Layered Defense:** Avoid relying solely on LLMs for content analysis. Incorporate sender reputation (SPF, DKIM, DMARC) and URL sandboxing.
- **Visual Similarity Analysis:** Use tools that evaluate the email as it appears to the user (OCR/screenshot analysis) rather than just the code.
- **Heuristic Content Filters:** Implement rules to flag emails containing unusually high volumes of hidden elements or CSS manipulations.
- **User Training:** Educating employees to recognize high-pressure retail phishing even if the email bypasses the "Junk" folder.
## Related Tools/Techniques
- **Zero-Font Phishing:** A specific subset of text salting.
- **Adversarial Machine Learning:** The broader field of manipulating AI inputs to cause misclassification.
- **Bayesian Poisoning:** The historical predecessor used to trick early spam filters.