A sophisticated technique known as hidden text salting has emerged as a significant threat to email security systems, allowing cybercriminals to bypass detection mechanisms through the strategic abuse of cascading style sheets (CSS) properties.
This attack vector enables threat actors to embed irrelevant content, or “salt,” within various components of malicious emails while rendering it invisible to recipients.
The technique has gained widespread adoption across multiple threat categories, including phishing campaigns, scam operations, and advanced persistent threats targeting high-value organizations.
Hidden text salting represents a fundamental shift in how adversaries approach email-based attacks, moving beyond traditional content-based evasion to exploit the very foundation of web presentation standards.
By manipulating CSS properties such as font-size, opacity, display visibility, and container dimensions, attackers can inject substantial amounts of hidden content that confuses automated detection systems while maintaining the visual integrity of their malicious messages.
This approach has proven particularly effective against both signature-based security solutions and advanced machine learning models that rely on textual analysis for threat classification.
The technique manifests across four primary injection points within email infrastructure: preheaders, headers, message bodies, and HTML attachments.
Each location offers unique advantages for threat actors seeking to evade specific detection mechanisms. Preheader injection allows attackers to manipulate preview text that appears in email clients, while header manipulation can confuse language detection algorithms.
.webp "Hackers Abuse CSS Properties With Messages to Inject Malicious Codes in Hidden Text Salting Attack 3")
Body injection remains the most prevalent method, offering extensive opportunities for content dilution, whereas attachment-based salting complicates static analysis procedures used by security vendors.
Cisco Talos researchers identified this emerging threat pattern through comprehensive monitoring of over sixteen months of email campaigns, analyzing threats from March 2024 through July 2025.
The research reveals that hidden text salting occurs significantly more frequently in malicious emails compared to legitimate communications, with spam and phishing campaigns showing disproportionately higher usage rates.
The analysis encompasses multiple threat actor groups employing variations of the technique, from simple character insertion to sophisticated multilingual content injection designed to confuse natural language processing systems.
.webp "Hackers Abuse CSS Properties With Messages to Inject Malicious Codes in Hidden Text Salting Attack 4")
The implications extend beyond traditional email security, potentially impacting modern defense systems that incorporate large language models for threat analysis.
Researchers have demonstrated how minimal hidden content can alter the sentiment analysis and intent classification performed by AI-driven security tools, effectively transforming malicious messages into seemingly benign communications from an algorithmic perspective.
Technical Implementation Methods and Detection Evasion
The technical implementation of hidden text salting relies on three primary categories of CSS property manipulation: text properties, visibility controls, and dimensional constraints.
Text-based concealment involves setting font-size to zero or near-zero values, matching font colors to background colors, or manipulating line-height properties to render content invisible. These methods prove effective against parsers that extract visible text content without considering CSS styling contexts.
Visibility and display property abuse represents the most straightforward implementation approach, utilizing CSS declarations such as “display: none,” “visibility: hidden,” or “opacity: 0” to remove content from visual rendering while preserving it within the HTML source.
Advanced variants employ conditional styling based on media queries or client-specific properties, ensuring content remains hidden across different email clients and viewing environments.
Dimensional manipulation techniques focus on container-based concealment, where threat actors create HTML elements with zero width, height, or maximum dimensions, effectively clipping content beyond visible boundaries.
This approach often incorporates overflow controls set to “hidden,” ensuring that oversized content within constrained containers remains invisible to recipients while remaining accessible to HTML parsers and text extraction algorithms.
Hidden salt content here
The sophistication of implementation varies considerably across threat actors, with some employing simple single-property concealment while others utilize complex multi-layered approaches combining multiple CSS techniques.
Advanced implementations incorporate responsive design principles, ensuring hidden content remains concealed across desktop, mobile, and webmail platforms.
Some campaigns utilize CSS selectors to apply concealment properties across multiple HTML elements simultaneously, reducing code redundancy while maintaining evasion effectiveness.
Character-level injection represents another prevalent technique, where threat actors insert zero-width space characters (ZWSP) or zero-width non-joiner (ZWNJ) characters between letters of brand names or sensitive keywords.
While invisible to human recipients, these characters effectively break keyword matching algorithms and signature-based detection systems that rely on exact string matching for threat identification.
The research conducted by Cisco Talos demonstrates that hidden text salting has evolved from a simple evasion technique to a sophisticated attack methodology capable of undermining both traditional and next-generation email security solutions, requiring organizations to implement comprehensive detection and filtering mechanisms that account for CSS-based content concealment.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
