Barracuda says it detected more than one million retail-themed phishing emails using hidden filler text since April, but its published research does not show how many passed security controls or whether AI-generated filler performs better than older variants.
More than one million detections establish that text salting is being used at volume inside Barracuda's field of view. They do not establish that one million messages defeated security, that AI filters perform worse than traditional gateways or that the campaign represents a known share of global phishing.
Barracuda said in its July 16 report that researchers had detected more than one million attacks since April. The emails used urgent retail-themed promises of rewards, points or gift cards and hid benign prose in the message source.
The company's report does not state the number of messages examined, customers represented, sender domains observed, intended recipients or messages delivered to inboxes. It also does not identify a tested gateway or model, publish false-positive results, or compare salted messages with an unsalted control. The count is therefore a measure of observed activity, not a bypass rate.
One account of the finding described the emails as reaching inboxes. Peterson Gutierrez, Barracuda's vice president of information security, told the publication that the technique's continued and growing use shows it remains effective. Neither that account nor Barracuda supplied delivery data, and no disclosed test explains whether "effective" means passing a gateway, reaching an inbox, eliciting a click or merely remaining popular with attackers. Another report called the activity a sharp increase; the underlying Barracuda post provides no month-by-month series or earlier baseline from which to calculate one.
Nor is "attack" a standardized unit. The Anti-Phishing Working Group's first-quarter 2026 dataset illustrates the mismatch:
| Source | Unit counted | Time window | Collection scope |
|---|---|---|---|
| Barracuda | More than 1 million detected phishing attacks or emails using this technique | Since April 2026, reported July 16 | Vendor visibility; population and customer coverage not disclosed |
| APWG | 971,181 unique phishing-site bases | January–March 2026 | Emails reported by members and the public; URLs reported by members |
APWG calls a unique phishing site an attack and notes that one site can be promoted through thousands of customized URLs. It separately counts differing email subject lines as a measure of lure variety. Barracuda is counting messages or detections, so putting the totals side by side cannot establish market share or a broader phishing trend.
Text salting changes what a scanner processes without changing what the recipient sees. Attackers add random stories, conversations, project notes or words such as "puppy," "training," "rhythm" and "book." The filler can dilute suspicious terms such as "rewards" and "expires," while invisible insertions can break a phrase that an exact-match rule is looking for.
That technique is not an AI-era invention. In 2021, Microsoft documented zero-point-font text intended to throw off machine-learning detection. It said Defender for Office 365 had blocked malicious emails using the method for years, even though attackers continued to deploy it. That history is direct counterevidence to any claim of a novel technical bypass and shows that hidden typography can itself be a detection feature.
Barracuda's narrower claim concerns production economics. It says generative AI can create endless, natural-sounding filler quickly and at no cost, allowing each email to differ. Its example places a dangerous 20-word link within a 400-word invisible story. But the company published no cost measurement, generation method, attribution evidence or comparison with reused human-written filler. "Cheap," "scalable" and "highly varied" remain company assessments.
The UK National Cyber Security Centre's 2025 assessment gives the claim broader context, but not validation. It forecast that AI would highly likely increase intrusion volume and impact mainly by enhancing existing tactics rather than creating new threat vectors. That is a probabilistic forecast about cyber operations through 2027, not evidence that AI-generated salting caused these messages to evade a particular product.
Barracuda observed compromised legitimate websites and lookalike domains configured with DomainKeys Identified Mail, or DKIM. That matters because a valid signature can help establish a stable identity for reputation checks, but it is not a safety certificate.
The DKIM standard says verification associates a signing domain with hashed message content and establishes that the hashed content has not changed since signing. It explicitly says that verification asserts nothing else about end-to-end integrity, and it leaves trust decisions to other systems. A domain controlled by an attacker can sign malicious content correctly; compromised authorized infrastructure can do the same.
Within the message, the campaign layered several HTML and CSS techniques:
clip-path: inset(100%) reduces the filler text's visible area to zero, backed by zero height and line height.A technical account confirms that the concealment methods were layered. Barracuda's example inserts invisible random text between "pass" and "word" in "Your password expired." The recipient reads the intact phrase; a scanner matching the raw string may not.
The potential LLM failure is related but narrower than some coverage suggests. Barracuda says models can misread intent, sentiment, purpose or risk if hidden benign prose is passed to them as ordinary message content. A summary of the research goes further, saying hidden and visible text receive equal weight. The primary report says LLMs "often" process raw text without knowing what is invisible unless instructed or trained otherwise; it does not demonstrate equal weighting across products.
Adding more banned words will not solve the problem because the filler terms are ordinary language. The useful signal is the mismatch among rendered content, source structure, sender identity, linked destination and requested action.
Barracuda recommends layered analysis of HTML structure, sender reputation, authentication, links, behavioral anomalies and user-visible content. In a follow-up interview and security guide, senior threat analyst Pranati Sethy said defenses need to identify what is hidden and focus on what the recipient sees.
That puts preprocessing and rendering ahead of the choice of classifier. Buyers need evidence that a gateway can expose multiple concealment layers, compare source with rendered output and combine the result with infrastructure and behavioral signals. That guide also recommends authentication checks, structural anomaly detection, behavioral analysis and employee reporting. Those controls reduce dependence on any single content score; they do not prove that a particular gateway catches the campaign.
Downstream controls still matter when delivery succeeds. The same security guide recommends time-of-click URL protection or remote browser isolation and phishing-resistant multifactor authentication. Those measures can limit the consequence of a malicious link or stolen password, but they address impact rather than the salted email's initial classification.
Security teams can inspect whether their gateways normalize invisible Unicode, expose zero-font and off-screen text, render HTML safely and compare what the user sees with the source. What they cannot infer from the million-message count is which products failed or whether AI-generated filler improved the odds.
A decision-useful study would disclose the traffic population, customer coverage, sampling period and labeling method. It would send the same visible lure through named gateway versions under at least three conditions: no filler, repeated human-written filler and unique AI-generated filler. For each condition it would report detection, quarantine and inbox-delivery rates, plus false positives on legitimate mail that uses hidden HTML for formatting.
That test would separate three propositions now bundled together: attackers are using text salting at scale; generative AI lowers the cost of varying it; and salted messages defeat deployed AI defenses. Barracuda's observations support the first. Its report asserts but does not measure the second. The third remains unquantified.
Get concise AI news and useful context from the Magica team.
Read the newsletterChristian Faith Madison’s estate alleges GPT-4o sustained a months-long narrative of prophecy, sacrifice and resurrection before her death. Public safety disclosures and controlled research make that failure mode plausible, but neither establishes which model behavior she encountered or whether it caused her death.
Shanghai AI Laboratory has released Intern-S2-Preview-397B as downloadable weights and a hosted API, but its own 35B alternative offers the same context window and a far smaller disclosed scale while the larger model still lacks auditable comparative scores, pricing and physical-validation results.
Mixfont's free Decoy Font gives each glyph a sharp decoy and a blurred intended letter, creating a hurdle for pixel-based readers while leaving selectable text, known-image techniques and accessibility costs outside its protection.
Zhipu reportedly reached $1 billion in annual recurring revenue in July, roughly four times a March estimate, but the unconfirmed run rate is not annual sales and still sits far ahead of recognized cloud revenue while margins remain thin.
Cmpunlocker says patched Nvidia open kernel modules can expose 64GB of HBM on an 8GB CMP 170HX or 40GB on a 10GB card while removing an SM throttle. The exploit mechanism is documented, but the retained evidence does not independently validate the tool across full-memory workloads, error rates, power use or A100-class performance.
An unidentified industry source says at least one Nvidia board partner has physical RTX 50 Super cards but cannot sell them, with 3GB GDDR7 quoted at $60 to $70 per chip. The reported memory bill explains a plausible pricing problem, but neither Nvidia nor a second independent source has confirmed the products, the hold or the component terms.
Anthropic’s 20-year lease gives TeraWulf a customer for 401 megawatts of future AI infrastructure, but rent starts only after delivery and the proposed utility deal passes power and grid costs to TeraWulf, leaving financing and project margin unresolved.
OpenAI has put conversations and Projects back in its redesigned ChatGPT desktop app and enabled cloud Work threads to move across devices, correcting the launch's biggest usability failures without merging local Work or Codex histories.
Twenty-nine countries signed an agreement creating WAICO as an independent intergovernmental organization, while China paired the launch with capacity-building offers that are not yet confirmed as WAICO programs.
Meta reportedly plans to put departing AWS compute executive Dave Brown to work on its data-center buildout, adding hyperscale operating experience while leaving any customer-facing cloud business conditional and undefined.
Moonshot AI has made Kimi K3 available through its apps and API, pairing a 2.8-trillion-parameter architecture with early frontier-level results, but the model's open-weight claim cannot be tested until its weights and technical report arrive.
CIA Director John Ratcliffe said US intelligence is consistent with an estimate that Russian recruits last 20 to 30 minutes on Ukraine’s battlefield, but the public trail leads to an unsourced claim about assault troops and does not establish a representative average.
China has paired a five-year AI training offer for developing countries with cooperation centers, a weather-warning rollout and a new 29-country organization. The package gives Beijing a platform for influence, but no budget, selection rules or delivery timetable has been published.
The FastFlowLM team has joined AMD after building a Ryzen AI NPU inference flow on technology AMD already developed and distributed. The move could reduce model-support delays, but its financial significance, transaction perimeter and performance benefit remain undisclosed.
Federal intervention changed the launches of Anthropic's Claude Fable 5, Claude Mythos 5 and OpenAI's GPT-5.6, but through different legal and voluntary channels. The result is real government leverage over early customers without a common security threshold or durable review process.
A proposal developed with Treasury Secretary Scott Bessent would put an independent AI regulator under SEC oversight, but President Trump had not reviewed it and its tests, funding and enforcement authority remained unresolved.
San Francisco has demanded that Apple and Google cut off 13 apps capable of producing nonconsensual sexual deepfakes. The threatened case could test California’s new liability rules, but the confidential app list and the law’s “primary purpose” definition leave a central question unresolved.
Anthropic will keep Claude Fable 5 inside Max and Team Premium plans from July 20 at 50% of their usage limits, while Pro and Team Standard customers move to separately billed credits. The durable change is who gets bundled access, not a larger allowance for top-tier users.
HKT plans a 3.2 Tbps data-centre route from Lok Ma Chau to Tseung Kwan O by the end of 2026, but has not disclosed customer bandwidth, price, project cost or end-to-end latency, while Sandy Ridge's developer expects to start within 42 months of its land award.
Apple briefly topped Nvidia during Friday trading before Nvidia closed about $6 billion ahead. The filings show why that ranking is a weak AI verdict: Apple’s operating momentum predates its new Siri, while Nvidia’s rapid growth comes with concentrated customers and large forward commitments.