CSS to Evade Spam Filters

Malicious actors are exploiting Cascading Style Sheets (CSS), which are used to style and format the layout of web pages, to bypass spam filters and track users’ actions.

That’s according to new findings from Cisco Talos, which said such malicious activities can compromise a victim’s security and privacy.

“The features available in CSS allow attackers and spammers to track users’ actions and preferences, even though several features related to dynamic content (e.g., JavaScript) are restricted in email clients compared to web browsers,” Talos researcher Omid Mirzaei said in a report published last week.

The insights build upon previous findings from the cybersecurity company about a spike in email threats leveraging hidden text salting in the second half of 2024 with an aim to get around email spam filters and security gateways.

This technique particularly entails using legitimate features of the Hypertext Markup Language (HTML) and CSS to include comments and irrelevant content that are invisible to the victim when rendered in an email client but can trip up parsers and detection engines.

The latest analysis from Talos has found that threat actors are using CSS properties like text_indent and opacity to conceal irrelevant content from being displayed in the email body. The end goal of these campaigns, in some cases, is to redirect the email recipient to a phishing page.

CSS to Evade Spam Filters

Furthermore, it has emerged that CSS offers opportunities for threat actors to monitor user behavior via spam emails by embedding CSS properties such as the @media CSS at-rule, thus opening the door to potential fingerprinting attacks.

“This abuse can range from identifying recipients’ font and color scheme preferences and client language to even tracking their actions (e.g., viewing or printing emails),” Mirzaei explained.

“CSS provides a wide range of rules and properties that can help spammers and threat actors fingerprint users, their webmail or email client, and their system. For example, the media at-rule can detect certain attributes of a user’s environment, including screen size, resolution, and color depth.”

To mitigate the risk posed by such threats, it’s recommended to implement advanced filtering mechanisms to detect hidden text salting and content concealment, as well as use email privacy proxies.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.