2 min read

Old-school text tricks fool AI spam filters

Barracuda says attackers have used text salting in more than one million phishing emails since April to confuse AI-powered spam filters.

Image: The Register

More than one million retail-themed phishing attacks have used “text salting” since April, according to cybersecurity firm Barracuda. The decades-old tactic, long used against traditional secure email gateways, is now confusing some machine-learning and large language model (LLM)-based filters as well.

Text salting adds random, harmless-looking words to a malicious message. The extra content is intended to make automated scanners classify the email as benign while leaving the visible message looking normal to its recipient.

How text salting hides phishing content

Barracuda said attackers typically conceal the filler text in one of three ways:

  • CSS cropping: The visible window is made too small for a human reader to see the hidden copy.
  • Text manipulation: Salting content is moved outside the visible area of the message.
  • Zero-font techniques: Misleading words are inserted between suspicious phrases, making them available to automated systems but invisible to people.

These methods can make a message appear less malicious—or simply more like gibberish—to a scanner, while preserving the appearance intended by the attacker for human recipients.

Recommended reading

ClickLock Stealer traps macOS users with password prompts

Traditional email security systems have largely adapted by stripping hidden text, flagging messages containing unusually large amounts of concealed content, and comparing what a user can see with the underlying HTML. Barracuda says some AI-powered systems have not consistently made the same distinction.

“Text salting and related techniques can be used to confuse AI-driven content analysis engines by flooding the email with random terms that encourage the AI system into making an incorrect classification decision.”

Barracuda

Barracuda recommends layered email defenses

Barracuda said LLMs are generally designed to process email text and source code plainly, without understanding whether particular content is visible or hidden from the recipient. The models can be trained to account for that difference, but the company said this likely is not enabled by default in many tools.

Rather than relying solely on keyword detection or an AI filter, Barracuda recommends a layered approach that checks:

  • Sender reputation
  • Authentication results
  • Embedded URLs
  • HTML-rendering techniques
  • Differences between user-visible and hidden content

The findings suggest that adding an AI component to email filtering does not automatically eliminate older evasion techniques. In some cases, the extra text is still enough to push a malicious message past the filter.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via The Register

/ Keep reading