Full Report
Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. Cisco Talos observed an increase in the number of email threats leveraging hidden text salting.
Analysis Summary
# Tool/Technique: Hidden Text Salting (Email Poisoning)
## Overview
Hidden text salting, or "poisoning," is an email-based evasion technique used by threat actors to craft malicious emails that bypass email parsers, confuse spam filters, and evade detection engines relying on keyword matching. This is achieved by injecting non-visually recognizable characters, comments, or styled content into the HTML source of an email using CSS and HTML features, making the malicious content invisible to the end-user but detectable by automated systems.
## Technical Details
- Type: Technique
- Platform: Email Clients, Email Gateways (e.g., Microsoft EOP)
- Capabilities: Evading keyword-based detection, confusing brand name extraction, confusing language detection procedures, bypassing HTML smuggling parsers.
- First Seen: Observation noted increased use in the second half of 2024.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Relevant when used in HTML smuggling attachments)
- T1566.002 - Spearphishing Link (Relevant if used to conceal malicious links)
## Functionality
### Core Capabilities
- **Keyword Evasion:** Inserting junk characters (like Zero-Width SPace/ZWSP, Zero-Width Non-Joiner/ZWNJ) between critical characters in brand names (e.g., "W_e_l_l_s F_a_r_g_o") so parsers break up the recognized string or fail to find the intended keyword.
- **HTML/CSS Concealment:** Utilizing CSS properties, such as setting `width: 0;` and `overflow: hidden;` on a `div` element, to render content invisible to the recipient while keeping it present in the HTML source.
### Advanced Features
- **Language Confusion:** Hiding legitimate-looking text in one language (e.g., English) while injecting large amounts of irrelevant content in another language (e.g., French) using hidden elements (`display: none;` or similar styling) to trick language detection procedures within anti-spam headers (like the `LANG` field in `X-Forefront-Antispam-Report`).
- **HTML Smuggling Poisoning:** Inserting irrelevant comments or styled junk content between Base64-encoded segments of a malicious attachment within the HTML body to prevent parsers from easily reconstructing and decoding the attachment payload.
## Indicators of Compromise
- File Hashes: N/A (Technique, not a specific file)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on email content manipulation)
- Behavioral Indicators:
- Excessive use of inline CSS styles (`style` attribute) intended to set element size to zero or hide content (`display: none`, `visibility: hidden`).
- Presence of zero-width characters (ZWSP, ZWNJ) in key strings within the HTML source code.
- Anomalous language markers in email headers (e.g., `X-Forefront-Antispam-Report` header showing a language different from the visible content).
## Associated Threat Actors
- Threat actors leveraging sophisticated phishing and HTML smuggling techniques (No specific groups named in the context, but associated with general email attackers).
## Detection Methods
- Signature-based detection: Difficult due to the highly variable nature of inserted content.
- Behavioral detection: Monitoring for anomalous use of CSS properties (`display` or `visibility`) designed to conceal content. Analyzing HTML source structure for unusual nesting or excessive inline styling compared to known good templates.
- YARA rules: Potential for YARA rules targeting the presence of specific zero-width characters adjacent to common phishing keywords or brand names.
## Mitigation Strategies
- **Advanced Filtering:** Investigating and developing filters capable of specifically detecting questionable CSS usage (e.g., `visibility: hidden`, `display: none`) or excessive inline styling in HTML emails.
- **Structural Analysis:** Analyzing the structural integrity and complexity of the HTML source code to identify attempts to hide content via unusual element nesting.
- **Visual Feature Reliance:** Augmenting text-based analysis by incorporating visual characteristics analysis of the rendered email, as suggested by research.
- **AI/ML Defense:** Employing deep learning and NLP models that can analyze content contextually, rather than relying solely on static keywords, and extract content even when obscured or presented in image-only formats (as employed by Cisco Secure Email Threat Defense).
## Related Tools/Techniques
- HTML Smuggling (T1566.001)
- Obfuscated Payloads (General concept)
- Use of zero-width characters (A common string manipulation defense evasion technique)