Hidden Text Salting Disrupts Brand Name Detection Systems

Summary:
Cisco Talos researchers have released a new report detailing a surge in the number of email phishing threats leveraging “Hidden Text Salting” techniques which they observed in the second half of 2024. Hidden Text Salting refers to poisoning the HTML source of an email. Cisco Talos observed threat actors are incorporating this technique into attacks for various purposes. These purposes include evading brand name extraction by email parsers, confusing language detection spam filters that rely on keywords, and evading spam filters and detection engines in HTML smuggling.

Threat actors employ Hidden Text Salting by using features of HTML and CSS to include comments and irrelevant content that are not visible to the victim when the email is rendered in an email client to help slip past parsers and detection engines by evading brand name extraction. Impersonating multiple well-known brands makes their email phishing attempts more effective. In an example email impersonating Wells Fargo, Talos observed the adversary uses the “<style>” tag to set the display property to inline-block, allowing them to set the block’s width to zero and set the overflow property to hidden to prevent content outside the element box from appearing in the email client. Threat actors have also inserted Zero-Width SPace (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters between the letters of well-known brands to evade detection. Additionally, adversaries have used Hidden Text Salting techniques to confuse language detection procedures and bypass detection engines when HTML Smuggling.

Security Officer Comments:
This latest report from Cisco Talos highlights the substantial increase in the frequency of attacks leveraging this uncomplicated yet effective tactic. This tactic presents significant challenges due to the numerous ways an adversary can insert hidden gibberish content into emails to avoid brand name extraction. Having a brand name extraction solution can lull employees into a false sense of security if they rely on it. An incident like this is particularly dangerous as this tactic is considered uncomplicated to implement at scale.

Suggested Corrections:
Recommendations from Cisco Talos:

Detecting email content concealed through this technique, which is used to poison the HTML source of an email, is important since it poses significant challenges in identifying email threats that leverage this method. A few mitigation and detection strategies are discussed below that could be helpful in this mission.

Advanced filtering techniques: One mitigation strategy is to investigate and develop advanced filtering techniques that can more effectively detect hidden text salting and content concealment. For example, filtering systems could be made to identify questionable usage of CSS properties like visibility (e.g., "visibility: hidden") and display (e.g., "display: none") that are frequently used to conceal text. These systems could also examine the structure of the HTML source of emails to find the excessive use of inline styles or unusual nesting of elements that might suggest an effort to hide content.

Relying on visual features: Although improved filtering systems can be very useful in detecting hidden text salting and email threats that use this technique to avoid detection, threat actors can swiftly develop new techniques. Therefore, relying on some features in addition to the text domain, such as the visual characteristics of emails, could be helpful.

Link(s):
https://www.infosecurity-magazine.com/news/hidden-text-salting-disrupts-brand/

https://blog.talosintelligence.com/seasoning-email-threats-with-hidden-text-salting/