More than one million retail‑themed phishing attacks using "text salting" have been detected since April, according to cybersecurity firm Barracuda.
Barracuda’s detection: scale and scope
Barracuda said on Thursday that it had detected in excess of one million retail‑themed phishing emails employing text salting since April. The company framed the technique as an old method being repurposed to target modern, AI‑driven email security tools; the approach has been used against traditional secure email gateways for years, Barracuda noted.
How text salting works: three practical techniques
Text salting hides benign‑looking words inside a malicious message so automated scanners see less suspicious content than a human would. Barracuda outlined three common variations attackers use to keep the added words hidden from human readers while visible to machines:
- CSS cropping — setting the visible window small enough that a human won’t see the filler text;
- Text manipulation — moving the salty copy outside the visible screen so it is present in the message source but not in the rendered view;
- Zero font techniques — inserting misleading words between suspicious phishing copy that’s visible to a machine but not to a human.
In each case, the visible email reads the way the attacker intends, while the machine sees the salted, less‑malicious‑looking content and may pass the message to its recipient.
Why LLM‑based filters are getting confused
Barracuda argued that modern large language model (LLM)‑based engines and other AI content analysis systems can be misled by this stuffing of random terms. "Text salting and related techniques can be used to confuse AI‑driven content analysis engines by flooding the email with random terms that encourage the AI system into making an incorrect classification decision," the company wrote in its report. The company added that "LLMs ... are typically designed to process email text and source code plainly, with no understanding of whether text is visible or hidden from a user," and that while they can be trained to account for visibility, "most tools probably aren’t doing that by default."
Where current email security has adapted — and where it hasn’t
Barracuda observed that newer, non‑AI tools have largely adapted to old salting tricks: many modern email security systems remove hidden text to reveal what a reader is supposed to see and raise alarms when a large amount of hidden content appears. By contrast, Barracuda said, AI‑driven systems have not broadly matched that capability, creating a window attackers are exploiting. The practical result is that a human recipient may see a convincing phishing message that bypassed automated checks only because the machine‑visible text looked innocuous.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams — Barracuda recommended adopting a layered approach to email protection rather than relying solely on keyword‑based or AI‑only filters. The company specifically advised checks of sender reputation, authentication results, embedded URLs, HTML rendering techniques, and differences between user‑visible and hidden content.
- Procurement and acquisition leaders — the gap Barracuda describes underscores the need to evaluate email security products not just on AI capabilities but on how they handle rendered versus underlying content, and on the availability of features that strip or flag hidden text and suspicious HTML rendering tricks.
- End users — the visible experience of a salted email will usually be the one the attacker intends; that means ordinary caution when interacting with retail‑themed or other suspicious messages remains essential because human judgment is often the last line of defense when automated filters are fooled.
Barracuda’s findings underline a straightforward point: an old technique — text salting — still works when defensive tooling treats message text and rendered content as identical. The company’s prescription is equally pragmatic: don’t depend on a single AI classifier. Check reputation and authentication, inspect embedded links, and compare rendered content to underlying HTML. As the Register put it, "Ditching that AI spam filter might not be a bad idea, either." Whether defenders will accept that trade‑off or press vendors to harden AI systems against visibility‑based evasion remains the question left by Barracuda’s tally of more than a million salted phishing attempts.




