CSS

Researchers have identified a concerning trend where threat actors are increasingly abusing Cascading Style Sheets (CSS) to bypass spam detection systems and covertly track user behaviours. 

Observed from the second half of 2024 through February 2025, these sophisticated techniques leverage innocent-looking style properties to conceal malicious content and gather sensitive information about email recipients without their knowledge.

Evading Detection Through Hidden Text Salting

Cisco Talos security researchers report that cybercriminals are employing a technique called “hidden text salting” (also known as HTML poisoning) to confuse email security systems. 

Google News

This method involves embedding invisible text within emails that remains undetectable to human readers but disrupts automatic scanning systems.

One prevalent approach uses the text-indent CSS property to hide irrelevant content.

Security researchers discovered phishing campaigns where attackers set values like text-indent: -9999px combined with extremely small font sizes to push gibberish text far outside the visible area. 

This technique effectively dilutes the malicious content, making it harder for security filters to recognize harmful patterns.

Phishing email with several gibberish characters added in between the original words

Another example found in recent phishing emails shows how attackers use the opacity property to make text completely transparent while still affecting detection systems:

Sophisticated User Tracking Without JavaScript

While email clients typically block JavaScript to prevent tracking, researchers found that CSS alone provides ample opportunities for monitoring user behavior. 

Marketing campaigns and threat actors alike are using CSS media queries to fingerprint recipients’ devices and track their actions.

In a particularly sophisticated approach, attackers employ CSS to:

  • Record when recipients open or print emails through specialized tracking URLs
  • Detect color scheme preferences using the CSS media at-rule
  • Identify which email client is being used
  • Fingerprint operating systems based on font availability

One example shows how attackers use CSS to load different resources based on the recipient’s screen size:

The research also highlights how CSS font-face at-rule can determine a recipient’s operating system by checking for specific fonts. 

For instance, detecting “Segoe UI” might indicate Windows, while “Helvetica Neue” suggests macOS. This information helps attackers craft more convincing phishing attempts or target specific vulnerabilities.

CSS font-face at-rule used to fingerprint operating system of recipient’s device

Mitigations Against CSS Exploitation

Security experts recommend implementing advanced filtering mechanisms that can detect hidden content and CSS-based evasion techniques.

 For privacy concerns, email privacy proxies that convert CSS rules into style attributes and rewrite remote resources can prevent tracking.

Organizations should consider deploying comprehensive email security solutions that utilize AI-driven detection to identify these sophisticated attacks before they reach users’ inboxes.

As CSS exploitation techniques continue to evolve, staying informed about these methods remains critical for maintaining email security posture in 2025 and beyond.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Kaaviya
Kaaviya
http://cybersecuritynews.com/
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.