Full Report
A new phishing tactic has been identified by Cisco Talos, using hidden text salting to evade email security measures
Analysis Summary
# Tool/Technique: Hidden Text Salting (Poisoning)
## Overview
Hidden Text Salting, also referred to as "poisoning," is an obfuscation technique utilized by cybercriminals, particularly in email-based attacks, to bypass spam filters, confuse email parsers, and evade brand name detection systems. This involves embedding invisible or irrelevant elements within the HTML source code of an email.
## Technical Details
- Type: Technique (Obfuscation/Evasion)
- Platform: Email systems (targets spam filters and parsers)
- Capabilities: Bypassing brand name extraction, misleading language detectors, disrupting attachment scanning.
- First Seen: Surge noted in the latter half of 2024 (according to the Cisco Talos report cited).
## MITRE ATT&CK Mapping
Since this is an evasion/obfuscation technique targeting email security infrastructure, the most relevant general mapping relates to defense evasion or TTPs used during initial access.
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- *Note: While not file-based, hiding text within HTML structure to evade parsing/scanning fits the spirit of obfuscation.*
## Functionality
### Core Capabilities
- **Brand Name Evasion:** Hiding legitimate brand names (e.g., Wells Fargo, Norton LifeLock) within the email body using CSS manipulation or zero-width characters so that security systems cannot extract them for reputation checks or content analysis.
- **Language Misdirection:** Embedding irrelevant hidden text in a different language (e.g., French words in an English email) to confuse language-based spam filters like Microsoft EOP.
### Advanced Features
- **HTML Smuggling Support:** Concealing malware within email attachments by embedding irrelevant content (like comments) within base64-encoded strings, thereby disrupting static attachment scanning engines.
- **CSS Manipulation:** Utilizing CSS properties such as `width: 0` or `display: hidden` to render specific text invisible to visual inspection while remaining present in the source code.
- **Zero-Width Character Insertion:** Inserting characters like Zero-Width Space (ZWSP) and Zero-Width Non-Joiner (ZWNJ) which have no visible footprint but alter the string structure for detection engines.
## Indicators of Compromise
*Note: This technique relies on benign or structural artifacts within the email body, not typical malware IOCs like C2 addresses or hashes, although it can facilitate the delivery of malware.*
- File Hashes: N/A (Technique Focus)
- File Names: N/A (Technique Focus)
- Registry Keys: N/A
- Network Indicators: N/A (Technique Focus)
- Behavioral Indicators: Excessive use of inline CSS in HTML emails, presence of suspicious or non-functional CSS properties (`visibility: hidden`, `display: hidden`), presence of ZWSP/ZWNJ characters immediately preceding target keywords.
## Associated Threat Actors
The article attributes the growing prevalence to general cybercriminals leveraging this tactic, referencing a Cisco Talos report on its usage. Specific named actors are not detailed in relation to this technique in the provided text.
## Detection Methods
- **Signature-based detection:** Difficult due to the nature of the technique, though signatures searching for specific CSS obfuscation patterns might emerge.
- **Behavioral detection:** Filters should flag excessive use of inline styles or suspicious CSS properties (`visibility: hidden`, `display: hidden`).
- **Structural Analysis:** Employing advanced filtering that deeply analyzes the structure and rendering logic of HTML emails rather than just surface-level text scanning.
- **AI/ML Analysis:** Leveraging AI-powered systems to analyze both the textual content and the visual layout/rendering of emails.
## Mitigation Strategies
- **Advanced Filtering:** Adopt filtering techniques capable of analyzing the structure and rendering properties of HTML emails.
- **CSS Property Flagging:** Configure security tools to flag emails showing suspicious CSS properties related to hiding content.
- **Comprehensive Security Solutions:** Utilize layered, comprehensive email security solutions that look beyond traditional keyword or signature matching.
- **Visual/Layout Analysis:** Implement systems that verify the content shown visually matches the expected source structure.
## Related Tools/Techniques
- HTML Smuggling (Explicitly mentioned as a field where this technique is used to conceal malware in attachments).
- General Obfuscation Techniques (e.g., character encoding substitution, string concatenation).