Barracuda says text salting is slipping past AI email filters
Barracuda says it has found more than 1 million retail-themed phishing attacks since April using hidden benign text to mislead AI security tools.
By Renata Fuchs · Policy Reporter
· 3 min read
Barracuda says attackers are using text salting, an old email-filter evasion method, to get phishing messages past AI-powered security systems. The security vendor said Thursday it has detected more than 1 million retail-themed phishing attacks using the technique since April, a volume that matters for enterprise buyers weighing how much of their email defense should be handed to machine-learning and LLM-based tools.
The method is not new. Text salting has been used for years against secure email gateways, according to Barracuda. The current issue, the company says, is that some AI-driven content analysis engines can be thrown off by the same trick: adding harmless-looking, unrelated words to a malicious message so a scanning system classifies it as lower risk.
The attacker’s problem is that random visible filler text would also alert the recipient. Barracuda said campaigns commonly hide the added text from human readers while leaving it available to automated systems parsing the message.
How the evasion works
Barracuda identified three common approaches. CSS cropping can restrict the visible area so the recipient does not see the extra words. Text manipulation can move the filler outside the visible part of the screen. Zero-font techniques can place misleading words between suspicious phishing text in a way that a machine can read but a user cannot.
The practical result, according to Barracuda, is a mismatch between what the scanner evaluates and what the employee sees. To the security engine, the email can appear diluted with benign terms or disordered text. To the human recipient, it presents as the attacker intended.
That gap is awkward for the AI security pitch. Barracuda said modern email security tools have often adapted to older versions of this tactic by stripping hidden content, comparing visible and hidden text, or flagging messages that contain a large amount of concealed material. The company argues that AI systems have not consistently caught up.
Barracuda said LLMs typically process message text and source code without automatically understanding whether a piece of text is visible to the user. The company said such systems can be trained to account for that distinction, which implies that deployments lacking that training may be exposed to an avoidable class of evasion. Barracuda did not say how many of the attacks it detected reached employee inboxes or which AI email security products were affected.
What enterprises should check
Barracuda’s recommendation is predictable but relevant: do not rely on keyword detection or AI content classification alone. The company said organizations should use layered checks that include sender reputation, authentication results, embedded links, HTML rendering behavior, and differences between hidden and user-visible content.
For security teams, the finding is less about a novel attack and more about procurement discipline. AI email tools are being sold into a market that already has decades of adversarial behavior baked in. If a filter evaluates content without rendering what the recipient will actually see, attackers can exploit that difference with techniques that predate the current AI cycle.
This story draws on original reporting from The Register.