In spite of the many defenses enterprise email platforms deploy, threat actors continue to evolve their tactics, and even basic cyber tactics can still be dangerous as threat actors continue to innovate their techniques. One such trending technique that has made spam emails dangerous again is known as an email salting attack. It involves the insertion of hidden or obfuscated text within emails, which are often invisible to the human recipient, to evade spam filters, bypass parsers, and defeat security systems that rely on keyword-based detection.

An email salting attack seeks to add “noise” into an email’s content: random characters, inconsequential paragraphs, hidden comments or zero-width characters that remain unseen but serve to confuse automated analysis tools. In doing so, attackers increase the likelihood that malicious emails will reach the target’s inbox rather than be quarantined.

What is an email salting attack?

In the context of email security, a salting attack is a deliberate manipulation of message structure using the features of HTML and Cascading Style Sheets (CSS), designed to insert hidden text or irrelevant content that is not visible to the user, yet is read (or at least analysed) by the underlying filtering systems.

As a refresher, CSS allows developers to separate content from presentation and define how HTML or XML documents appear on a device. Attackers leverage this by embedding content in emails in ways that are visually rendered harmless or invisible (for example, font-size: 0;, display: none;, visibility: hidden;), or by inserting zero-width or invisible Unicode characters between visible words, thereby disrupting keyword-based filters.

In these attacks, adversaries typically seek to:

• Evade spam and phishing detection by inserting invisible or obfuscated characters.
• Disrupt email analysis tools that rely on language patterns and keyword recognition.
• Increase the chance that the malicious email lands in a recipient’s inbox rather than being diverted to the spam folder.

Although the term “salting” is traditionally used in cryptography to describe the addition of random data to passwords to prevent reuse of hashes, email salting attacks turn that concept on its head: instead of reinforcing security, they undermine it by adding deceptive content into email messages.

Popular techniques used in email salting

Threat actors employ several distinct methods under the umbrella of email salting. Understanding these is critical to determining the appropriate cybersecurity services and solutions to defend effectively.

1. Header salting

Emails may include manipulated header fields, such as the ‘Reply-to’ or ‘Return-path’ that contain redundant or misleading information. By modifying email headers, attackers aim to confuse detection systems and make a message appear more legitimate.

2. Hidden text salting

This is the most widely observed method: inserting hidden or obfuscated text into the email body, pre-header, attachments or HTML source. Tactics include:

• CSS manipulations like display: none, opacity: 0, font-size: 0 to hide content.
• Zero-width or non-joiner Unicode characters embedded within words to break up keywords used by filters.
• White text on a white background or extremely light text on a light background, invisible to readers but present in the HTML.

3. Unicode homoglyph attacks

Here, attackers replace characters in words with visually similar ones but different codes. For example, an attacker might replace “m” with “rn” (‘r’ and ‘n’) or alter letters in brand names. This enables the email to appear normal to a human but evade keyword-based detection.

4. Bayesian poisoning

This involves inserting benign or irrelevant words into malicious content so that Bayesian spam filters, which calculate the probability of spam based on word frequencies, are misled into classifying the message as benign.

Why this threat matters

The use of salting is not just a nuisance, as it alters the landscape of email threat detection in a few critical ways.

• Evasion of advanced defences: As defenders adopt machine-learning models and large language model (LLM) based systems for email scanning, attackers are deliberately targeting these systems. For example, inserting hidden content can shift sentiment or intent calculations in the AI model away from “malicious” toward “benign”.

• Impact on domain reputation and trust: A successful attack that slips through filters and reaches the inbox can damage an organisation’s perceived security posture, erode trust among clients and open the door to phishing, ransomware, or business-email-compromise exploits.

• Increased complexity for defenders: Traditional keyword or signature-based filters are less effective against this kind of camouflage. Operators must now consider the visual rendering of emails, inspect HTML/CSS styling, and detect irregularities in structure rather than just content. The growing threat underscores why many organisations are now investing in sophisticated cybersecurity services to bolster their defences.

For companies conducting regular assessments of their attack surface through services like vulnerability testing in Singapore, recognising the potential for email salting attacks is increasingly essential.

Mitigation strategies to consider

Countering email salting attacks requires a multilayered approach that combines policy, technology and user awareness. Here are the key strategies:

1. HTML sanitisation at ingestion

One effective measure is to sanitise incoming emails at the ingestion point: strip or neutralise invisible or arbitrary content (such as CSS rules hiding text or zero-width characters) before it reaches downstream analysis engines.

2. Advanced filtering mechanisms

Deploy email gateways or proxy filters that specifically target hidden or styled-invisible content. For example, rules can be established to flag or quarantine messages that contain CSS properties like display: none, visibility: hidden, or opacity: 0, or excessive zero-width characters. Additionally, visual-analysis features may inspect rendered output for discrepancies between visible content and underlying markup.

3. AI-driven/behavioural detection

Investing in next-generation email security platforms that leverage machine learning, natural language processing and behavioural modelling helps to detect anomalies not just in words, but in structure, intent and context. For instance, solutions may flag when the visible message and the underlying HTML diverge significantly, or when header-fields display incongruous metadata. These advanced approaches complement traditional defences.

4. Education and awareness

Users remain a critical line of defence. Training staff to be wary of emails that look legitimate but feel “off” (for example, where links or attachments are unexpected) is essential. Pair this with regular phishing simulations and policy controls to restrict the exposure of sensitive data via email. Organisations that engage in managed cybersecurity services are better placed to integrate such awareness programmes into their broader risk-management frameworks.

Conclusion

Email salting attacks are an evolving threat that warrants sufficient attention lest a malicious email eventually reach one of the inboxes in your organisation and wreak havoc. The technique’s effectiveness highlights the need for businesses to move beyond traditional filters and adopt holistic strategies that scrutinise both content and structure. By implementing the recommended preventive measures above, one can stay ahead of the increasingly sophisticated techniques adversaries deploy through their email-based attacks.

The cyberthreat landscape is constantly evolving, but with Group8 by your side, your defences never stand still. Our offensive-inspired experts deliver adaptive cybersecurity solutions that anticipate and counter tomorrow’s threats today. From initial assessments to long-term resilience planning, we help you stay securely one step ahead. Partner with us today by sending us an email at hello@group8.co