In a sophisticated evolution of email-based attacks, adversaries have begun incorporating Cascading Style Sheets ( CSS) to embed hidden” salt” — irrelevant content that confuses detection systems — deep within HTML emails.
The abuse of CSS properties by Cisco Talos’s year-long monitoring ( March 1, 2024 – July 31, 2025 )a significant rise in the spread of malicious code and prevents both advanced ML-driven defenses and signature-based attacks.
Attackers can escape filters, manipulate vocabulary detection, and also alter LLM-based intent analysis by embedding hidden text salts in proper email components.
As a deterrent to growing internet defenses, hidden text salting has become a thing. Concern actors first inserted strange characters between keywords to pass through signature scanners.
Over time, adversaries refined the approach by styling these characters with CSS properties—such as setting font-size:0 or opacity:0—to make the salt invisible to users but legible to parsers.
Assailants have tricked Microsoft’s language detection into misclassifying phishing emails by hiding useless European terms in English text and sending them through filters unharmed.
In one case, a PayPal-impersonating scam contained the sentence “Great news, we’ve got your order” concealed in a
with font-size:1px and line-height:0, only revealed when font size was increased to 20px.
Likewise, Harbor Freight phishing emails included hidden French salt via display:none, confusing the X-Forefront-Antispam-Report language field.
Techniques and Cases
Cisco Talos breaks down the use of CSS for hidden text drying into three different content types and four placement points. Random figures, irrelevant sections, and HTML/ opinions are the material types.
As seen in Norton LifeLock impersonations, characters frequently have zero-width spaces ( ZWSP) or non-joiners ( ZWNJ) inserted between brand names.
To prevent dynamic analysis, attackers embed German and Scandinavian phrases in HTML attachments. In another strategy, Base64-encoded URLs were used to make decoding more difficult by introducing useless comments.
These salts appear in four main email regions: preheader, header, attachments, and body. Preheaders have contained tempting phrases like “FOUR yummy soup recipes just for you!” hidden via opacity:0, max-height:0, and mso-hide:all to entice clicks without detection.
In HTML, accessories are the salt that attackers insert random feedback around Base64 data. The brain continues to be the most prevalent location, with unnecessary keywords inserted to obstruct filters.
Attackers also manipulate categories to cloak salt. Text properties (font-size, color, line-height) shrink or recolor text to blend with backgrounds.
Visibility and display properties (display:none, visibility:hidden) remove elements from rendering. Clipping and sizing (width:0, overflow:hidden) clip hidden text within zero-dimension containers.
In a Wells Fargo phishing example, meaningful keywords were salted using a global bdo selector with font-size:0, altering the intent classification of LLM-based defenses from “Request Action” to “Schedule Meeting.”
Mitigations
Supporters may use both monitoring and filtering as their primary strategy. To assess CSS use patterns and physical differences, detection solutions may go beyond simple text parsing.
Talos made use of “font-size: 0,” “opacity: 0,” “display: none,” “max-width: 0,” “max-height: 0,”” color: transparent,” “visibility: hidden,” “width: 0” or “height: 0” to cover the extra salt. Next, we looked for these measures in emails that Cisco Secure ETD customers had reclassified.
Advanced filters can detect and flag hidden content in emails, such as the preheader, header, body, and attachments. Image-based threats can be thwarted by including visual-based study, such as rendering e-mail snapshots to identify unknown overlays.
Companies should adjust policies to allow for reasonable uses while detecting unusual CSS payloads. Adopting deep-learning models that are and take visible, fundamental, and contextual factors can significantly improve resilience to this evasive tactic.
Before upstream engines can practice messages, filtering solutions must disinfect HTML at absorption, stripping, or escaping unknown elements. Email providers can set up swift guards to ignore any content that has been designated as hidden.
Hidden text salting is much more prevalent in spam and phishing than it is in legitimate mail, despite some benign CSS ( responsive design, tracking pixels ) applications that resemble these methods.
Safety teams can restore the integrity of internet defenses by recognizing and neutralizing hidden word drying, as well as stop enemies from slipping past levels of safety.
In order to combat this emerging threat, ongoing surveillance of CSS misuse, coupled with strategic sanitization, will be crucial.
Follow us on Google News, Linked In, and X# for fast upgrades and to make GBH your preferred source in Google.