AI Email Filters Vulnerable to Text Salting Attacks, Barracuda Reports
Key Takeaways
- ▸Over 1 million retail-themed phishing attacks using text salting detected since April
- ▸AI/LLM-based email filters lack understanding of visible vs. hidden text, exposing them to decades-old attack techniques
- ▸Traditional email security tools have adapted to text salting defenses, but AI systems have largely not
Summary
Cybersecurity firm Barracuda has discovered that AI and LLM-powered email security filters are vulnerable to 'text salting'—a decades-old spam and phishing technique that hides malicious content from automated scanners. The company detected over one million retail-themed phishing attacks using text salting since April, demonstrating that the technique remains effective even against modern AI-based defenses.
Text salting works by peppering emails with random, benign-seeming words to confuse AI content analysis engines, while using CSS cropping, text manipulation, or zero-font techniques to hide the filler text from human readers. Traditional email security gateways have largely adapted to these tricks by removing hidden text and flagging emails with suspicious hidden content, but LLM-based systems have failed to follow suit.
Barracuda explains that LLMs are typically designed to process email text plainly without understanding whether text is visible or hidden from users. While they can be trained to do so, most tools likely aren't doing this by default. The security firm recommends a layered approach to email security rather than relying solely on AI keyword detection, including sender reputation checks, authentication verification, URL analysis, and detection of differences between visible and hidden content.
- Barracuda recommends layered email security combining multiple verification methods rather than relying on AI keyword detection alone
Editorial Opinion
This research reveals an uncomfortable truth: AI systems, for all their sophistication, can be fooled by tricks that defeated older email filters over a decade ago. The vulnerability highlights a critical blind spot in LLM design—these models process text without semantic understanding of presentation and visibility, a gap that traditional security tools have long since closed. Organizations deploying AI-powered security should not assume that modern technology eliminates the need for layered defenses; in fact, this finding underscores that effective security requires explicit design for specific threats, not just general language understanding.


