1M+ Emails Use Hidden Text to Dupe AI Security Filters
Cybercriminals are using 'text salting' to bypass AI-driven email security filters, exposing a critical vulnerability in Large Language Models.

This article is original editorial commentary written with AI assistance, based on publicly available reporting by Dark Reading. It is reviewed for accuracy and clarity before publication. See the original source linked below.
The recent discovery that over one million emails have successfully bypassed sophisticated security filters using "text salting" marks a significant escalation in the ongoing arms race between cybercriminals and defensive artificial intelligence. This technique involves embedding invisible or camouflaged text—often random strings of characters or legitimate-looking prose—within malicious emails to dilute the "toxicity" of the content. By manipulating the statistical distribution of words, attackers are effectively tricking Large Language Models (LLMs) into classifying phishing attempts and malware delivery vehicles as benign correspondence. This surge in volume suggests that the vulnerability of AI to simple semantic manipulation is no longer a theoretical risk but a massive, exploited reality.
The concept of obfuscation is not new to the cybersecurity landscape. For decades, attackers have used "leet-speak," image-based text, and zero-width characters to evade keyword-based scanners. However, the shift toward AI-based security was supposed to render these tactics obsolete. Unlike traditional filters that look for specific blacklisted terms like "password reset" or "wire transfer," LLMs are designed to understand context and intent. The industry’s heavy reliance on these models led to a sense of security, assuming that the deep learning capabilities of neural networks would see through superficial changes. Instead, text salting exploits the inherent mathematical nature of how LLMs process data, highlighting a "blind spot" in the very technology meant to be our primary shield.
Mechanically, text salting operates on the principle of signal-to-noise ratios. An LLM calculates the probability that a message is malicious based on the presence and proximity of suspicious tokens. When an attacker injects a large volume of "neutral" or "highly positive" hidden text—often using white fonts on white backgrounds or microscopic font sizes—the model’s classification engine is overwhelmed. The "salt" lowers the cumulative suspicion score of the email below the threshold required to trigger a quarantine. Because the hidden text is invisible to the human recipient, the user only sees the clear call-to-action of the phishing lure, while the AI sees a harmless, albeit long-winded, block of gibberish.
The implications for the cybersecurity industry are profound. As organizations have rushed to integrate AI into their Security Operations Centers (SOCs), they have inadvertently created a single point of failure. If the underlying model can be easily confused by a few hundred characters of invisible text, the entire defensive perimeter is compromised. This revelation may force a "back-to-basics" approach where AI is not the sole arbiter of security but a component in a multi-layered defense. Furthermore, this trend suggests that the democratizing power of AI is benefiting the "dark side" just as much as the "light," as generative tools can now be used to create the very "salt" that hides the poison.
From a market perspective, this development casts a shadow over the "AI-first" marketing strategies of major security vendors. Customers pay premium prices for AI-enabled protection under the guise that it is smarter than the average spam filter. If a million-plus emails can penetrate these defenses using a technique as rudimentary as hidden text, the value proposition of these high-cost tools becomes harder to justify. Regulatory bodies and insurance providers may also take note, potentially requiring more rigorous testing or "adversarial scrubbing" before AI security products are deemed compliant or insurable.
Looking forward, the industry must pivot toward adversarial training and more robust pre-processing techniques. Security teams will need to implement filters specifically designed to detect and strip hidden formatting before the content ever reaches the LLM for analysis. We should also expect to see a rise in "multimodal" detection, where the system analyzes how an email is rendered visually versus how it is structured in the code—a shift from checking what a message says to checking how it is built. As the "text salting" pandemic continues to spread, the focus will move from the intelligence of the AI to the resilience of the pipeline that feeds it.
Why it matters
- 01Text salting exploits the mathematical probability metrics of LLMs by diluting malicious content with hidden, benign words to bypass security scores.
- 02The failure of AI filters against simple hidden-text tactics highlights a critical over-reliance on deep learning models that lack common-sense verification.
- 03The cybersecurity industry must now evolve toward 'adversarial scrubbing' and multi-layered detection to identify discrepancies between code-level and visual-level content.