Barracuda has warned of a sharp increase in phishing campaigns using “text salting”, a long-established evasion technique that is proving effective against both traditional email security products and newer AI-powered systems.
The cyber security vendor revealed in a new report that it has identified more than 1 million phishing attacks employing the tactic, which works by embedding large volumes of benign text within an email while keeping it hidden from recipients.
The hidden content is visible to email scanners but not to users, allowing attackers to dilute suspicious keywords or break up known phishing phrases that security tools rely on to identify malicious messages.
In one example, attackers inserted invisible text into phrases such as “Your password expired”, preventing scanners searching for the exact wording from recognising the phishing attempt. Hidden content often included random stories, project notes or other innocuous language intended to outweigh high-risk terms such as “urgent”, “rewards”, or “expires”. Meanwhile, the visible email encouraged recipients to claim expiring loyalty points or gift cards.
According to Barracuda, the technique has become increasingly effective as generative AI enables attackers to rapidly create unique blocks of realistic-looking text that can confuse machine learning models and large language model-based email security systems.
“Hidden text techniques are seeing a resurgence in the age of AI,” Pranati Sethi, senior threat analyst at Barracuda, said in a statement.
“The techniques manipulate how both traditional and AI security tools interpret an email, while generative AI makes text-salting campaigns cheap, scalable and highly varied.”
The company warned that AI models typically evaluate all email content equally, including hidden text, making them susceptible to manipulation through carefully crafted benign content designed to alter the model’s assessment of an email’s intent.
Barracuda recommends organisations adopt layered email security that evaluates sender reputation, authentication, behavioural indicators, embedded links, HTML rendering and visible user content, alongside ongoing phishing awareness training for employees.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.