Hidden Text Trick Lets 1M+ Phishing Emails Evade AI Filters
More than one million phishing emails have exploited a technique known as "text salting" to slip past enterprise AI-powered security filters and land directly in employee inboxes. Researchers analyzing large-scale email flows found that adversaries are embedding invisible or zero-font characters, white text on white backgrounds, and Unicode steganography inside message bodies. These payloads are unreadable to human recipients but are enough to confuse large language model (LLM)-based classifiers that increasingly gate corporate email gateways.
The technique undermines a core assumption behind modern email defense: that natural language processing and transformer-based detectors can reliably distinguish malicious from legitimate content. By poisoning the semantic input with hidden tokens, attackers effectively force the AI model to misclassify the message as benign, allowing credential harvesting pages, malicious attachments, and impersonation lures to reach targets. Industry analyses show that even leading natural language classifiers degrade sharply when hidden text shifts the token distribution away from typical phishing language patterns.
Security teams relying solely on AI-driven filtering are being urged to layer their defenses with traditional signature matching, DMARC enforcement, and human-in-the-loop analysis. Employees should also be encouraged to verify suspicious senders independently and run any unfamiliar address through an email breach checker to confirm whether the contact has appeared in known credential dumps. A complementary browser fingerprint test can help analysts trace the infrastructure behind phishing landing pages and correlate it with active campaigns.
The findings highlight a broader truth about LLM security: AI models are only as robust as the input they receive, and adversarial prompts are no longer confined to chatbots. Organizations should treat email-borne prompt injection as a first-class threat, run routine privacy checkups across their attack surface, and revisit incident response playbooks to account for evasion techniques that traditional detection stacks were never designed to catch.