'Comment stuffing' — HTML phishing attachments padded to ~2.5 MB to dilute or exhaust AI/NLP email scanners
A SANS Internet Storm Center diary (2026-07-10, Jan Kopriva) dissects a phishing email that presented as a Microsoft Teams/SharePoint document notification and carried a .xls.html double-extension attachment weighing ~2.5 MB — anomalously large for a self-contained HTML page (SANS ISC, 2026-07-10). Decoded from a \uXXXX-escaped document.write() wrapper, the file was ~431 KB, of which only the first ~11 KB was a working SharePoint-themed credential-harvesting page; the rest was a single HTML comment holding roughly 430,000 repeated "X" characters, placed after the functional payload, accounting for ~97% of the file.
The placement rules out the classic goal. Padding after the payload does nothing to conceal the malicious code, and at 2.5 MB the file falls well short of the tens-of-megabytes scan-size limits modern mail security uses, so this is not the MITRE "Binary Padding" scan-size-evasion play. The handler's assessment — explicitly flagged as informed speculation — is that the target is AI/NLP-based content scanning, which a growing number of gateways now run. Citing KnowBe4's earlier "NLP obfuscation" work, the diary notes that "if a message contains enough innocuous material, the weight of the malicious portion can be diluted to the point where the model no longer flags it with sufficient confidence", and that "the same bulk can also make a message large enough so that scanning it using AI-based mechanisms takes too long, leading some solutions to release it rather than delay delivery indefinitely" (SANS ISC, 2026-07-10). The author judges the token-budget-exhaustion goal the more likely of the two here, since a featureless block of one character works as well as crafted filler for that purpose. He is candid that against a well-tuned model the tactic is blunt — "the padding is also about as low-entropy as any data can get, which means it wouldn't help the file blend in with benign content on a statistical level either" — which is precisely why a simple non-AI signature catches it.
If a message contains enough innocuous material, the weight of the malicious portion can be diluted to the point where the model no longer flags it with sufficient confidence.
The same bulk can also make a message large enough so that scanning it using AI-based mechanisms takes too long, leading some solutions to release it rather than delay delivery indefinitely.
The padding is also about as low-entropy as any data can get, which means it wouldn’t help the file blend in with benign content on a statistical level either
Defender actions
- Add a non-AI fallback rule to the mail gateway that flags HTML/XLS-disguised attachments containing an oversized single-repeated-character run or an HTML comment above a size threshold (e.g. >50 KB of one repeated character) — a signature independent of whatever AI/NLP scoring the gateway also runs, so the control does not fail when the classifier is drowned.
- Pre-process attachments to strip or truncate oversized comments/padding before AI-based scoring, and alert on large decompressed-vs-declared-size ratio outliers, so a padded payload is scored on its functional content rather than released on a timeout.
ATT&CK mapping
2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1566.001Phishing: Spearphishing Attachment
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Stealth TA0005
T1027Obfuscated Files or Information
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.