Cybercriminals Exploit CSS to Dodge Spam Detection and Monitor Emails

Malicious actors have found a new way to exploit Cascading Style Sheets (CSS), which are primarily used for styling web pages, to bypass spam filters and invade users’ privacy. According to recent findings by Cisco Talos, these malicious tactics pose serious risks to both security and personal information.

Omid Mirzaei, a researcher at Talos, noted that while email clients restrict many dynamic content features, such as JavaScript, the same isn’t true for CSS. This freedom allows attackers to track users’ interactions and preferences more effectively.

The report highlights an alarming rise in email threats that utilize a technique known as hidden text salting, especially noted in the latter half of 2024. This method involves using HTML and CSS to embed invisible comments or irrelevant content in emails, which can confuse spam filters and security systems.

Researchers discovered that threat actors employ CSS styles, such as text indent and opacity, to hide unwanted content from the email body. Sometimes, the ultimate aim is to lead unsuspecting recipients to phishing websites, where they could fall victim to further scams.

Additionally, CSS can be exploited to track user behavior through spam emails. Attackers might use properties like the @media CSS at-rule to perform fingerprinting attacks, gathering details about user preferences and their system environment. Mirzaei elaborated on this, revealing that such tactics could identify recipients’ font choices, color schemes, language settings, and actions like viewing or printing emails.

To counter these emerging threats, experts recommend implementing sophisticated filtering techniques to detect hidden text and concealed content and adopting email privacy proxies. These measures can help fortify users’ defenses against these evolving cyber risks.