- Security researchers are warning about “hidden text salting” in emails
- Hackers can hide parts of the text to confuse email scanners
- The hidden text helps the email pass the scans and land in the inbox
Hackers are increasingly using “hidden text salting”, or “poisoning” techniques, to work around email security measures and get phishing messages to land in people’s inboxes.
A new in-depth guide published by cybersecurity researchers from Cisco Talos outlines how cybercriminals are abusing HTML and CSS properties in email messages, setting the width of some elements to 0, and using the “display: hidden” feature to hide some content from the victims. They are also inserting zero-width space (ZWSP) and zero-width non-joiner (ZWNJ) characters, and ultimately hiding the true email content, by embedding irrelevant language.
As a result, email security solutions, spam filters, and brand name extractors get confused, and the emails that would otherwise end up in the spam folder, make it directly to the inbox.
Advanced filtering
In its writeup, Cisco Talos has given multiple examples, including one in which attackers hid French words in the email’s body. This confused Microsoft’s Exchange Online Protection (EOP) spam filter which ultimately let the message pass.
In another example, Cisco Talos said threat actors were using CSS properties and ZWSP characters to hide email content, successfully mimicking Wells Fargo, and Norton LifeLock.
To tackle this strategy, the researchers suggested IT teams adopt advanced filtering techniques that scan the structure of HTML emails, rather than just their contents. An email security solution could, thus, look for extreme use of inline styles or CSS properties such as “visibility: hidden”. Deploying AI-powered defenses is also recommended.
Email remains one of the top attack vectors, due to its simplicity, omnipresence, and low cost for a large-scale operation. It also owes its popularity to the fact that it attacks the email security chain on its weakest link – the human.