Researchers Document "Text Salting" — Hidden-Text Technique Reportedly Bypasses AI-Based Email Security Filters at Scale
A scale-significant AI-filter-bypass research beat — defender review for AI-heavy email-security stacks this week.
A research-disclosure story about scale, not a new exploit: what the reporting says, what defenders running AI-heavy email stacks should review, and what remains unconfirmed.
SAN FRANCISCO, CALIF. — Researchers on July 16, 2026 documented a hidden-text technique referred to as "text salting" that has reportedly been observed in more than 1 million phishing emails, where it is used to slip malicious messages past AI-based email security filters. As reported by Dark Reading, the technique buries innocuous filler text inside the machine-readable code of an email so that automated content-analysis engines see something benign while the human recipient sees the phishing lure — an old spam-filter evasion trick that the reporting says is working better now than ever. The 1M+ figure, not any single new capability, is what makes the finding notable: it lands as a scale disclosure rather than a report of a previously unseen exploit.
The framing that matters for defenders is asymmetry. According to the reporting, the same large language models that many organizations now rely on to classify email content are, on the other side, helping attackers generate and vary salted text at speed — while the AI-based filters meant to catch it reportedly are not keeping pace. That gap is the story: a scale-significant reminder that an AI content engine is one signal among many, not a standalone verdict on whether a message is safe.
What Dark Reading Reported
According to Dark Reading, researchers at Barracuda Networks have observed more than 1 million retail-themed phishing emails since April that use hidden text — a technique the reporting refers to as "text salting" — to make low-effort social-engineering messages appear legitimate to automated security filters. The emails lean on familiar lures: promises of rewards, points, and gift cards, paired with urgency to prompt a click on a malicious link. Outwardly they are not especially polished, which makes the central question the reporting poses sharper — if the messages are obvious junk to a human, how are they reaching inboxes at all?
The answer, as described in the reporting, lies in the gap between what a person sees and what a secure email gateway sees. Gateways do not read the rendered, visual presentation of a message; they parse the machine-readable data underneath it. Text salting exploits that split. Attackers pepper spammy content with inoffensive filler — benign words and long passages of unremarkable text — to dilute the signals a filter keys on, then hide that filler from human view using HTML and CSS tricks such as zero-size fonts or off-screen text. The recipient never sees the noise; the filter sees mostly noise.
The reporting frames the AI angle as an asymmetry. Barracuda's Peterson Gutierrez, quoted by Dark Reading, said that a technique "many people associate with older spam-filter evasion can also influence modern AI-based detection," and that the trick "appears simple, but its continued and growing use shows it remains effective." The same account notes that large language models let attackers produce and vary salted text faster than before, while AI-based content engines reportedly perform poorly against it. The CyberSignal is treating this as a research-disclosure story about scale, and is deliberately not reconstructing the hidden-text technique or providing a recipe for how the filler is concealed.
Defender Posture for AI-Based Email-Filter Deployments
The practical takeaway does not require reproducing the technique. It rests on a posture: an AI-based email security filter is one detection layer, not a complete control, and organizations that have leaned heavily on AI content classification should review whether anything sits behind it. The reporting's own remedy, attributed to Gutierrez, is contextual rather than keyword-based — evaluating "the full context of the message, including the relationship between the visible content, hidden or excessive text, links, sender behavior, and the action the email is trying to prompt." That is a defensible north star: detection that reasons about the whole message beats detection that scores isolated phrases, precisely because salting is designed to poison the phrase-level view.
Concretely, defender review this week should confirm a few things. First, that layered controls remain in place around the AI filter — authentication checks, link and attachment analysis, sender-reputation and behavioral signals, and user-reporting paths — so that a single evasion of the content engine is not a single point of failure. Second, that detection considers the divergence between visible and hidden or excessive text as a signal in its own right, since a large volume of concealed filler is itself anomalous. Third, that the human layer is reinforced: because salted phishing still has to present a convincing lure to the reader, security-awareness training and fast, low-friction reporting remain load-bearing when the automated layer is fooled.
This is the same layered-defense logic The CyberSignal has applied to other email-borne threats, including the resurgence of the Tycoon2FA phishing kit's device-code variant against Microsoft 365 and the broader pattern of ClickFix-style social engineering delivering infostealers. In each case the constant is that no single filter is a guarantee, and the defensive value comes from stacking independent checks so that evasion of one is caught by another.
The AI-Security Research Context
The text-salting finding sits inside a widening body of research on how AI cuts both ways in email and content security. On the attacker side, large language models lower the cost of generating and mutating evasive text, a dynamic The CyberSignal has tracked in reporting on AI-developed exploit tooling and 2FA-bypass phishing at mass-exploitation scale and in the wider explainer on how AI is used in cyberattacks. On the defender side, vendors are pushing AI into detection pipelines, as covered in Google's AI threat-defense launch spanning Gemini, Wiz, and CodeMender.
The salting disclosure is a useful corrective to any assumption that AI-based classification is inherently harder to fool than the rule-based filtering it augments. Research such as Sophos's work on AI-orchestrated EDR-evasion malware has already shown that AI can be turned toward evasion as readily as toward detection. Text salting is that same asymmetry expressed in the inbox: an old trick, now cheaper to mass-produce and, per the reporting, still effective against the newer engines meant to stop it. The defensive lesson is not that AI filtering is useless, but that it must be treated as a fallible layer whose failure modes are actively researched by both sides.
Cross-Reference the AI-Agent Supply-Chain Thread
There is an adjacent question worth flagging without overstating it: whether hidden-text manipulation of what an AI system reads connects to the prompt-injection research The CyberSignal has covered, where attackers steer AI behavior through content the model consumes rather than through its operators. That thread runs through reporting on prompt injection against Google's Gemini voice assistant via notifications and on data-exfiltration prompt injection that prompted a ChatGPT lockdown mode.
The conceptual overlap is real — both text salting and prompt injection turn an AI system's own reading of hidden or embedded content against the outcome its operator intended. But the reporting on text salting does not claim it is prompt injection, and The CyberSignal is not asserting that equivalence. Salting, as documented, is content-dilution evasion aimed at classifiers, not instruction-injection aimed at a model's behavior. Whether the two research streams formally converge is an open question the current reporting does not resolve, and readers should treat the connection as thematic rather than established.
Open Questions
Several specifics are not confirmed at the time of publication, and The CyberSignal is flagging them rather than filling them in. While the reporting attributes the research to Barracuda Networks and quotes a named executive, the wider set of researchers behind the analysis and the full methodology are not independently established here. The reporting does not name the specific AI-based email-security vendors or products whose filters were bypassed, so this article does not identify affected email-security providers. Nor does it name specific victim organizations; the 1M+ figure is a count of observed phishing emails, not a tally of confirmed compromises.
The scale claim itself warrants a note on how to read it. More than 1 million phishing emails observed since April is a measure of activity volume within one research vantage point, not a measure of how many reached inboxes, how many were clicked, or how many led to a breach. It signals that the technique is in broad, sustained use — which is the point — but it should not be read as an incident count.
The most consequential open item is remediation. Whether AI-based email-security vendors have adjusted their engines to weigh hidden-versus-visible-text divergence and full-message context, and how quickly attackers layer additional salting techniques in response, will determine how durable this exposure is. As with any research-disclosure story, the specifics may evolve as more detail emerges, but the defensive guidance here does not depend on them: it rests on the well-established principle that a single content filter, AI-based or not, is a layer to be backed up rather than a verdict to be trusted on its own.
The CyberSignal Analysis
The reported facts above are the researchers', as relayed by Dark Reading; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts, and none reconstruct the hidden-text technique.
Signal 01 — Treat AI-Based Filtering as a Layer, Not a Verdict
The most durable lesson in this disclosure is architectural, not technical. Text salting works because a content classifier — rule-based or AI-based — can be fed a message engineered to read as benign while presenting as malicious to a human. Our reading is that organizations should formally classify AI-based email filtering as one probabilistic signal within a layered pipeline, never as the single gate that decides delivery. The scale figure is the argument: a technique observed across more than 1 million emails is, by definition, one that is routinely clearing whatever single control stands in its way.
That reframing is cheap and independent of the specific trick. It does not require knowing how filler text is hidden; it requires only a policy and pipeline in which authentication, link analysis, sender behavior, and user reporting each contribute, so that fooling the content engine does not equal delivery-and-click. Teams that already run defense in depth will treat this disclosure as confirmation of an existing posture rather than a fire drill.
Signal 02 — Contextual Detection Is the Direction of Travel
The reporting's own remedy points where email security is heading: away from scoring isolated keywords and toward reasoning about the whole message. Salting is a direct attack on phrase-level detection, so the counter is detection that weighs the relationship between visible content, hidden or excessive text, links, sender behavior, and the action the message solicits. Our assessment is that the divergence between what a filter parses and what a human renders should itself be a first-class signal — a large volume of concealed or off-screen text is anomalous regardless of what that text says.
For security-operations and email-platform teams, the actionable interpretation is to ask vendors and internal tooling a concrete question: does the detection stack consider hidden-versus-visible-text divergence and full-message context, or does it still lean on keyword and phrase scoring that salting is purpose-built to defeat? Where the answer is the latter, the marginal defensive effort is in adding contextual and behavioral signals around the existing filter rather than swapping one keyword engine for another.
Signal 03 — The Human Layer Still Carries Weight
Because salted phishing still has to show the reader a convincing lure, the human layer remains load-bearing precisely when the automated one fails. Our view is that this disclosure argues for continued investment in security-awareness training and, more importantly, in fast, low-friction reporting: when a filter is fooled at scale, the earliest reliable signal is often a user flagging a message that felt wrong. That reporting loop should feed back into detection tuning, turning individual catches into pipeline improvements.
The prudent interim assumption is that some salted messages will reach inboxes no matter how good the filter, and that the organizational goal is to shorten the time between delivery and detection. That is not a permanent state of helplessness; it is the appropriate posture toward a fresh disclosure of a scaled, still-effective evasion technique. The forward-looking watch item is concrete — whether AI-based email-security vendors adjust their engines to weigh context and hidden-text divergence — and it is the metric by which the durability of any fix should be judged.