Cybercriminals Exploit CSS to Evade Spam Filters and Track Email Users' Actions
Summary:
Malicious actors are exploiting Cascading Style Sheets to evade spam filters and track user activity in phishing campaigns, posing significant security and privacy risks. According to Cisco Talos, attackers leverage CSS features to bypass detection in email clients, which impose strict restrictions on JavaScript and other dynamic content. By manipulating CSS properties, cybercriminals can conceal phishing links, track user interactions, and fingerprint devices to enhance future attacks. This tactic builds on previous findings regarding a sharp increase in email-based threats using hidden text salting in late 2024. Hidden text salting involves injecting invisible or misleading content within emails using HTML and CSS, allowing attackers to bypass security filters by making malicious messages appear legitimate while disrupting security detection mechanisms.
To evade detection, attackers manipulate CSS properties such as text-indent, opacity, display: none, and font-size: 0px to hide malicious content from recipients while ensuring it remains visible to security parsers. These techniques allow phishing emails to bypass anti-spam and anti-phishing filters while appearing normal to users. In many cases, attackers use these obfuscation methods to redirect victims to phishing pages designed to steal credentials or deploy malware.
Security Officer Comments:
Beyond evasion, CSS also serves as a tracking tool, allowing attackers to monitor user behavior through embedded CSS rules. By leveraging @media CSS at-rules, cybercriminals can gather information about a recipient’s email client, screen size, resolution, and operating system. Additionally, CSS-based tracking pixels can notify attackers when an email is opened, printed, or forwarded, providing real-time intelligence on victim engagement. Attackers can also detect font preferences, color schemes, and language settings, which enables them to craft more convincing and personalized phishing emails.
Suggested Corrections:
Security mitigations: One security mitigation solution is to rely on advanced filtering mechanisms that can more effectively detect hidden text salting and content concealment. These systems could examine different parts of emails to find and filter out hidden content. Alternatively, relying on features in addition to the text domain, such as the visual characteristics of emails, could be helpful. This approach is particularly beneficial in image-based threats.
Privacy mitigations: One of the most effective solutions in this domain is to use email privacy proxies. This mitigation is designed for email clients and involves rewriting emails to enhance privacy and maintain email integrity across different clients. In particular, the proxy service should be able to perform two main functions: 1) converting top-level CSS rules into style attributes, and 2) rewriting remote resources (e.g., images) to be included directly in the email via data URLs. The former function confines styles to the email itself and prevents conflicts with client-defined styles, while the latter function prevents exfiltration of information and undermines tracking pixels, ensuring the email's integrity over time.
Link(s):
https://thehackernews.com/2025/03/cybercriminals-exploit-css-to-evade.html
Malicious actors are exploiting Cascading Style Sheets to evade spam filters and track user activity in phishing campaigns, posing significant security and privacy risks. According to Cisco Talos, attackers leverage CSS features to bypass detection in email clients, which impose strict restrictions on JavaScript and other dynamic content. By manipulating CSS properties, cybercriminals can conceal phishing links, track user interactions, and fingerprint devices to enhance future attacks. This tactic builds on previous findings regarding a sharp increase in email-based threats using hidden text salting in late 2024. Hidden text salting involves injecting invisible or misleading content within emails using HTML and CSS, allowing attackers to bypass security filters by making malicious messages appear legitimate while disrupting security detection mechanisms.
To evade detection, attackers manipulate CSS properties such as text-indent, opacity, display: none, and font-size: 0px to hide malicious content from recipients while ensuring it remains visible to security parsers. These techniques allow phishing emails to bypass anti-spam and anti-phishing filters while appearing normal to users. In many cases, attackers use these obfuscation methods to redirect victims to phishing pages designed to steal credentials or deploy malware.
Security Officer Comments:
Beyond evasion, CSS also serves as a tracking tool, allowing attackers to monitor user behavior through embedded CSS rules. By leveraging @media CSS at-rules, cybercriminals can gather information about a recipient’s email client, screen size, resolution, and operating system. Additionally, CSS-based tracking pixels can notify attackers when an email is opened, printed, or forwarded, providing real-time intelligence on victim engagement. Attackers can also detect font preferences, color schemes, and language settings, which enables them to craft more convincing and personalized phishing emails.
Suggested Corrections:
Security mitigations: One security mitigation solution is to rely on advanced filtering mechanisms that can more effectively detect hidden text salting and content concealment. These systems could examine different parts of emails to find and filter out hidden content. Alternatively, relying on features in addition to the text domain, such as the visual characteristics of emails, could be helpful. This approach is particularly beneficial in image-based threats.
Privacy mitigations: One of the most effective solutions in this domain is to use email privacy proxies. This mitigation is designed for email clients and involves rewriting emails to enhance privacy and maintain email integrity across different clients. In particular, the proxy service should be able to perform two main functions: 1) converting top-level CSS rules into style attributes, and 2) rewriting remote resources (e.g., images) to be included directly in the email via data URLs. The former function confines styles to the email itself and prevents conflicts with client-defined styles, while the latter function prevents exfiltration of information and undermines tracking pixels, ensuring the email's integrity over time.
Link(s):
https://thehackernews.com/2025/03/cybercriminals-exploit-css-to-evade.html