font-size:1px and line-height:0, only revealed when font size was increased to 20px.
Likewise, Harbor Freight phishing emails included hidden French salt via display:none, confusing the X-Forefront-Antispam-Report language field.
Techniques and Examples
Cisco Talos categorizes the misuse of CSS for hidden text salting into three content types and four insertion points. The content types are random characters, irrelevant paragraphs, and HTML/JavaScript comments.
Characters often include zero-width spaces (ZWSP) or non-joiners (ZWNJ) inserted between brand names, as seen in Norton LifeLock impersonations.
Attackers embed German and Finnish phrases in paragraph salt within HTML attachments to thwart static analysis. In another campaign, irrelevant comments were interspersed within Base64-encoded URLs to complicate decoding.
These salts appear in four main email regions: preheader, header, attachments, and body. Preheaders have contained tempting phrases like “FOUR yummy soup recipes just for you!” hidden via opacity:0, max-height:0, and mso-hide:all to entice clicks without detection.
Attachments carry salts in HTML, where attackers insert random comments around Base64 data. The body remains the most common locus, with raw keywords interspersed with junk characters to evade filters.
Attackers also manipulate CSS property categories to cloak salt. Text properties (font-size, color, line-height) shrink or recolor text to blend with backgrounds.
Visibility and display properties (display:none, visibility:hidden) remove elements from rendering. Clipping and sizing (width:0, overflow:hidden) clip hidden text within zero-dimension containers.
In a Wells Fargo phishing example, meaningful keywords were salted using a global bdo selector with font-size:0, altering the intent classification of LLM-based defenses from “Request Action” to “Schedule Meeting.”
Mitigations
Defenders must adopt a dual approach: detection and filtering. Detection solutions should extend beyond simple text parsing to analyze CSS usage patterns and visual discrepancies.
Talos selected a few simple CSS properties that can be used to hide the added salt, including “font-size: 0,” “opacity: 0,” “display: none,” “max-width: 0,” “max-height: 0,” “color: transparent,” “visibility: hidden,” “width: 0” or “height: 0.” We then searched for these indicators in emails reclassified by Cisco Secure ETD customers.
Advanced filters can inspect email parts—preheader, header, body, attachments—to identify and flag hidden content. Incorporating visual-based analysis, such as rendering email snapshots to detect invisible overlays, can thwart image-based threats.
Organizations should fine-tune policies to tolerate legitimate uses while flagging abnormal CSS payloads. Adopting AI-driven, deep-learning models that consider visual, structural, and contextual features can dramatically improve resilience against this evasive tactic.
Filtering solutions must sanitize HTML at ingestion, stripping or escaping invisible elements before downstream engines process messages. Email gateways can deploy prompt guards to ignore any content styled as hidden.
Hidden text salting is far more prevalent in spam and phishing than in legitimate mail, though some benign uses of CSS (responsive design, tracking pixels) resemble these techniques.
By recognizing and neutralizing hidden text salting, security teams can restore the integrity of email defenses and prevent adversaries from slipping past layers of protection.
Continuous monitoring of CSS misuse, coupled with proactive sanitization, will be critical in countering this emerging threat.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
