Million Email Phishing Campaign Uses Text Salting  | eSecurity Planet

Million Email Phishing Campaign Uses Text Salting 

Barracuda researchers identified more than one million phishing emails using text salting to manipulate AI-powered email security.

Written By
Ken Underhill
Ken Underhill
Jul 17, 2026
4 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Attackers are repurposing an old spam evasion technique to bypass a new generation of AI-powered email security tools. 

Barracuda researchers say they have identified more than one million retail-themed phishing emails since April that use text salting — a method that hides large amounts of benign content inside messages to manipulate how automated security systems classify them.

“Attackers are hiding harmless-looking text inside phishing emails to make the messages appear safer to security tools,” said Pranati Sethy, Senior Threat Analyst at Barracuda, in an email to eSecurityPlanet.

She explained, “This is a reminder that email defenses need to identify what is hidden and focus on the message the recipient sees.”

Pranati added, “Considering the full context of an email is increasingly important as attackers find new ways to evade content-based detection.”

Key takeaways of Barracuda’s salt text phishing research

  • Barracuda identified more than one million phishing emails using text salting to manipulate AI-powered and traditional email security systems.
  • Text salting hides large amounts of benign text within phishing emails, making malicious messages appear less suspicious to automated detection engines.
  • Attackers combine trusted infrastructure, authenticated domains, hidden HTML content, CSS concealment techniques, and Zero Font to improve phishing email delivery.
  • The visible phishing message remains unchanged for recipients while hidden content alters how some security tools interpret the email.
  • Organizations should deploy layered email security that analyzes rendered content and detects hidden-content evasion rather than relying solely on keyword or AI-based detection.

How text salting attacks work 

Unlike traditional phishing campaigns that target keyword-based spam filters, these attacks are designed to manipulate how AI-powered email security systems interpret content. 

Instead of simply hiding malicious words, attackers inject benign text to influence machine learning and large language model (LLM)-based detection engines into classifying phishing emails as legitimate. 

According to Barracuda’s research, the campaigns begin with attacker-controlled infrastructure hosted on compromised legitimate websites or lookalike domains that are configured with DKIM. 

By using infrastructure that passes authentication checks, attackers improve the chances that their emails will evade initial security screening. 

Advertisement

How the phishing email is constructed 

The phishing emails themselves contain two distinct layers of content. 

Recipients see an urgent retail-themed message claiming that rewards points, loyalty benefits, or gift cards are about to expire and encouraging immediate action. 

Hidden behind that visible message, however, are large blocks of unrelated text containing stories, project notes, conversations, or random words such as puppy, training, book, and rhythm

These benign words dilute the concentration of suspicious terms like reward, expires, and gift card, making the overall email appear less malicious to some automated detection engines while remaining unchanged from the recipient’s perspective.

How the hidden content stays hidden in the emails

To keep hidden content invisible, attackers combine multiple HTML and Cascading Style Sheets (CSS) concealment techniques instead of relying on a single method. 

Researchers observed CSS techniques that crop the viewing area, reduce line height, move text off-screen, and suppress scrollbars to keep hidden content invisible. 

Researchers also identified a technique known as Zero Font, which embeds random hidden words directly inside recognizable phishing phrases while assigning the inserted text a font size of zero. 

For example, the underlying HTML may contain the phrase “Your pass [hidden text] word expired.” 

Because the inserted text is invisible to the user, recipients still read “Your password expired.” 

However, security tools looking for the exact phrase in the HTML source may fail to detect it, allowing the phishing email to evade some signature-based and pattern-matching detection methods.

Barracuda says these campaigns demonstrate why modern email security should analyze the message as users actually see it — not just the underlying HTML or source code. 

Advertisement

Reducing text salting risk 

As phishing techniques continue to evolve, organizations should assume that some malicious emails will eventually bypass traditional defenses. 

Defending against text-salting attacks requires a layered strategy that combines advanced email security, strong identity protections, and well-prepared users. 

  • Deploy layered email security that analyzes rendered content, HTML structure, sender reputation, authentication results, embedded links, and behavioral anomalies rather than relying solely on keyword or AI-based detection.
  • Detect hidden-content evasion by identifying differences between the email users see and the underlying source code, including text-salting and other HTML concealment techniques.
  • Enable time-of-click URL protection or remote browser isolation to help block malicious websites that evade initial email scans.
  • Implement phishing-resistant MFA, such as passkeys or FIDO2 security keys, to reduce the risk of compromised credentials being used for account takeover.
  • Strengthen email authentication with SPF, DKIM, and DMARC while using threat intelligence to block known malicious domains and phishing infrastructure.
  • Provide regular phishing awareness training and make it easy for employees to report suspicious emails.
  • Test incident response plans and use attack simulation tools with scenarios around phishing and email compromise scenarios.

These measures can help organizations reduce overall exposure and build resilience.

Bottom line

Generative AI makes it easier for attackers to produce highly varied hidden text at scale, increasing the use of AI-aware evasion techniques such as text salting. 

As a result, security teams should regularly evaluate whether their email security platforms can detect these techniques rather than relying solely on traditional content analysis. 

With email-based attacks becoming more adept at evading detection, many organizations are reevaluating broader security strategies such as Zero Trust to reduce the impact of successful phishing attempts. 

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.