According to recent discoveries, malicious actors are utilizing Cascading Style Sheets (CSS) to evade spam filters and track user activities, thereby compromising the security and privacy of victims.
This information comes from a report by Cisco Talos, which highlights the potential risks associated with the exploitation of CSS features for malicious purposes.
Talos researcher Omid Mirzaei stated that “CSS features allow attackers and spammers to track users’ actions and preferences, despite the restrictions on dynamic content, such as JavaScript, in email clients compared to web browsers.”
These findings expand upon previous research by the cybersecurity company, which revealed a surge in email threats leveraging hidden text salting in the latter half of 2024 to bypass email spam filters and security gateways.
This technique involves using legitimate HTML and CSS features to include comments and irrelevant content that are invisible to the victim when rendered in an email client but can deceive parsers and detection engines.
The latest analysis by Talos reveals that threat actors are exploiting CSS properties, such as text_indent and opacity, to conceal irrelevant content from being displayed in the email body, with the ultimate goal of redirecting the recipient to a phishing page in some cases.
Furthermore, it has been discovered that CSS provides opportunities for threat actors to monitor user behavior via spam emails by embedding CSS properties, such as the @media CSS at-rule, which can lead to potential fingerprinting attacks.
Mirzaei explained that “this abuse can range from identifying recipients’ font and color scheme preferences and client language to even tracking their actions, such as viewing or printing emails.”
“CSS offers a wide range of rules and properties that can help spammers and threat actors fingerprint users, their webmail or email client, and their system. For example, the media at-rule can detect certain attributes of a user’s environment, including screen size, resolution, and color depth.”
To mitigate the risks posed by these threats, it is recommended to implement advanced filtering mechanisms to detect hidden text salting and content concealment, as well as use email privacy proxies.
