Too salty to handle: Exposing cases of CSS abuse for hidden text salting blog.talosintelligence.com/too-salty…

Cisco Talos has been closely monitoring the abuse of cascading style sheets (CSS) properties to include irrelevant content (or salt) in different parts of messages, a technique known as hidden text salting. This blog is a follow-up to our previous reports in January and March 2025 on CSS abuse in emails and shares highlights from a talk given at Blue Team Con 2025.

Talos explores why hidden text salting is used, where it typically appears in emails, the types of content and techniques involved, how common content concealment (including hidden text salting) is in both spam and legitimate messages, and the impact that hidden text salting has on email security solutions.

There is widespread use of hidden text salting in malicious emails to bypass detection. Attackers embed hidden salt in the preheader, header, attachments and body — using characters, paragraphs and comments — by manipulating text, visibility and sizing properties. Talos has observed that hidden content is far more often found in spam and other email threats than in legitimate emails, posing a substantial challenge to both basic and advanced email defense solutions that leverage machine learning.