Full Report
A simple yet effective tactic, known as hidden text salting, is increasingly used by cybercriminals over the past few months to evade even the most advanced email security solutions, including those powered by machine learning and large language models.
Analysis Summary
# Tool/Technique: Hidden Text Salting (CSS Abuse)
## Overview
Hidden Text Salting is a technique observed in malicious emails where threat actors abuse Cascading Style Sheets (CSS) properties to embed irrelevant content ("salt") within various parts of an email (preheader, header, attachments, body). The primary purpose is to evade detection mechanisms, such as spam filters, by confusing or influencing components like language detection.
## Technical Details
- Type: Technique
- Platform: Email/HTML rendered content
- Capabilities: Obfuscation, evasion of content-based filtering, manipulation of language detection.
- First Seen: Monitoring period cited March 1, 2024 – July 31, 2025.
## MITRE ATT&CK Mapping
The primary focus of this technique is evasion during the delivery or execution phase of an email attack, often targeting initial email filtering stages.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If used in attachments)
- T1566.002 - Spearphishing Link (If used in rendered HTML content)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.002 - Hidden Files and Information (Applying CSS to hide content)
## Functionality
### Core Capabilities
- **Content Hiding:** Embedding text, paragraphs, or comments using CSS properties to render them invisible or unreadable by standard inspection tools.
- **Evasion of Language Detection:** Inserting content in foreign languages (e.g., French words in an English email) to confuse language analysis components in email filtering systems, potentially bypassing region-specific spam rules.
- **Bypassing Simple Filters:** Evading basic detection by manipulating text or display properties.
### Advanced Features
- **Property Abuse:** The technique relies on abusing specific CSS properties to toggle visibility or size:
- Text properties (e.g., `font-size`).
- Visibility and display properties (e.g., `display: none`).
- Clipping and sizing properties (e.g., manipulating `line-height` alongside font size).
- **Targeted Placement:** Salt is frequently embedded in high-impact areas like the preheader and the email body.
## Indicators of Compromise
Since this is a technique focusing on HTML/CSS structure, IoCs are generally behavioral or structural rather than static file indicators.
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Technique relies on content structure, not C2 communication).
- Behavioral Indicators:
- Presence of large amounts of hidden content within HTML source code of emails.
- Use of CSS properties like `font-size: 0px` or `display: none` on blocks of text.
- Mismatch between the declared email language (e.g., HTML `lang` attribute or headers) and visually hidden embedded text.
## Associated Threat Actors
Threat actors engaged in widespread spam and large-scale email threats are known to employ this technique, often associated with commodity phishing campaigns impersonating major brands (e.g., PayPal, Blue Cross Blue Shield). Specific groups were not named in the provided context, but the activity is prevalent in **spam campaigns**.
## Detection Methods
- Signature-based detection: Ineffective against variations unless the specific CSS obfuscation pattern is signed.
- Behavioral detection: Effective detection involves analyzing the rendered structure of incoming HTML emails for intentionally hidden content blocks.
- YARA rules: Could be developed to look for common suspicious CSS property combinations used for concealment across email bodies.
## Mitigation Strategies
- **HTML Sanitization:** Perform strict HTML sanitization upon ingestion to strip or escape invisible text before it reaches downstream detection engines.
- **Content Filtering:** Deploy filters (such as prompt guards) at the email gateway or proxy layer to identify and ignore or strip content styled to be invisible or visually hidden.
- **Advanced Defense:** Utilize AI-driven email security solutions employing deep learning, machine learning, and Natural Language Processing to extract context and detect harmful techniques despite obfuscation.
- **Header Inspection:** Examine headers like `X-Forefront-Antispam-Report` for additional context, though the technique aims to confuse these as well.
## Related Tools/Techniques
- General HTML/Email Obfuscation techniques.
- Techniques that leverage misdirection in email headers or visual layout for evasion.
- Image-based threats (as an alternative evasion method mentioned in the context).