Cisco Talos has uncovered a growing abuse of Cascading Style Sheet (CSS) properties in email-based cyberattacks, leveraging a stealthy tactic called hidden text salting to bypass detection systems.
This technique, monitored between March 2024 and July 2025, involves inserting irrelevant or malicious snippets into emails while making them visually invisible to recipients.
Hidden text salting has been identified in phishing, spear phishing, and scam campaigns, occurring significantly more frequently in spam than in legitimate messages, posing challenges for both AI-driven and straightforward defenses.
Abuse of CSS to Evade Detection
Hidden text salting works by blending invisible “salt”, either random characters, multilingual words, or HTML comments, into email parts such as the preheader, header, attachments, and body. Talos documented multiple abuse methods:
- Text property manipulation: Using
font-size: 0, matching text color to background, or embedding zero-width spaces (ZWSP) and zero-width non-joiners (ZWNJ) between brand names such as “Norton LifeLock” to defeat keyword-based detection. - Visibility/display alteration: Setting
opacity: 0,visibility: hidden, ordisplay: noneto hide malicious text blocks inserted between legitimate content. - Clipping and sizing exploitation: Forcing container widths to zero or clipping oversized salt into invisible shapes with
overflow: hidden.
Talos found attackers embedding invisible phrases to disrupt language detection used by solutions like Microsoft Exchange Online Protection (EOP), making phishing emails appear multilingual when they are primarily English.
In one case, French words hidden via display: none Confused spam filters, resulting in increased delivery success rates.
Attachments are also a primary vector. HTML files were padded with irrelevant Base64 comments to obstruct URL decoding, or hidden German paragraphs designed to evade static analysis.
Spear phishing messages targeted Cisco Secure ETD customers by inserting junk HTML tags and concealed malicious scripts while displaying legitimate logos like Microsoft SharePoint.
Advanced adversaries manipulate CSS salt to affect Large Language Model (LLM)-driven detection pipelines.
By inserting invisible, random phrases, attackers have altered AI-derived intent and sentiment scores from “Request Action” to benign values, such as “Schedule Meeting,” allowing malicious prompts to slip through security layers undetected.
Mitigation Strategies for Email Security
Talos recommends HTML sanitization during ingestion to strip invisible salt before downstream processing, as well as proactive prompt guarding in email gateways to automatically ignore hidden content.
Detection models should expand beyond keyword scanning to include analysis of visual characteristics and AI-driven behavioral detection, ensuring that legitimate responsive designs are not falsely flagged while malicious salting is neutralized.
This evolving CSS abuse highlights the need for continuous adaptation of email security strategies, with Cisco Secure Email Threat Defense integrating NLP, deep learning, and ML to maintain resilience.
With adversaries refining invisible injection methods, security teams must actively hunt for hidden text patterns across all email components to counter this stealthy and increasingly impactful threat vector.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
