isc.sans.edu 7/10/2026, 9:50:40 AM · external

Phishing email hides huge HTML padding to dodge AI scanners

Phishing email hides huge HTML padding to dodge AI scanners
CyberSIXT Evidence Panel Source marked as original reporting

THE article discusses a phishing email that employs "comment stuffing" in an HTML attachment to evade AI-based detection tools. The email, disguised as a Microsoft Teams notification, exhibits several unusual characteristics, such as an empty envelope sender and no date header, indicating it was generated by a homemade script.

The attachment is over 2.5 MB, containing both a functional phishing page and a significant amount of irrelevant padding—430,000 'X' characters—presumably intended to confuse AI-based content classifiers. The padding may serve to dilute the detection likelihood of the malicious content by increasing its overall size, thus bypassing or delaying AI scanning mechanisms.

The phishing page itself is characterized as standard and includes a method to capture credentials, further emphasizing the evolving tactics used by cybercriminals.

View full article

Article by CyberSIXT