CSS, a technology designed for styling web pages, is now being manipulated by threat actors to outsmart email security systems. Unlike JavaScript and other dynamic elements that are typically restricted in email clients, CSS provides an alternative method for attackers to track user interactions subtly.
Cybercriminals are leveraging Cascading Style Sheets (CSS) to bypass spam filters and track email users’ actions, posing significant security and privacy risks, according to new research from Cisco Talos.
“The features available in CSS allow attackers and spammers to track users’ actions and preferences, even though several features related to dynamic content (e.g., JavaScript) are restricted in email clients compared to web browsers,” noted Talos researcher Omid Mirzaei in a report published last week.
This method builds upon previous findings from Cisco Talos, which reported a surge in email threats utilizing hidden text salting in the latter half of 2024. This approach involves inserting hidden text and irrelevant content within emails using HTML and CSS to deceive spam filters while remaining invisible to recipients.
CSS Techniques Used in Email Attacks
Threat actors have been observed employing CSS properties like text-indent
and opacity
to conceal malicious content within emails. The primary objective of these tactics is often to redirect unsuspecting recipients to phishing websites or fraudulent pages.
Additionally, attackers exploit CSS properties such as the @media
at-rule to gather user information. This method allows them to track details like font preferences, color schemes, client language, and even email interactions such as views or prints.
The Role of CSS in User Fingerprinting
Cybercriminals are leveraging CSS for fingerprinting attacks by detecting specific attributes of a user’s system. This can include screen size, resolution, and color depth, providing valuable data that helps attackers refine their targeting strategies.
“CSS provides a wide range of rules and properties that can help spammers and threat actors fingerprint users, their webmail or email client, and their system,” Mirzaei explained. “For example, the media at-rule can detect certain attributes of a user’s environment, including screen size, resolution, and color depth.”
How to Mitigate the Risk
To counteract these evolving threats, security experts recommend implementing advanced email filtering techniques to identify and block hidden text salting and content obfuscation. Additional protective measures include using email privacy proxies to prevent tracking and ensuring email security tools are updated to detect CSS-based exploits.
As cybercriminals continue to find creative ways to evade detection, organizations and individual users must remain vigilant and proactive in safeguarding their email security.
For more security news, click here.