Attackers use CSS to create evasive phishing messages
March 17, 2025
Threat actors exploit Cascading Style Sheets (CSS) to bypass spam filters and detection engines, and track users’ actions and preferences.
Cisco Talos observed threat actors abusing Cascading Style Sheets (CSS) to evade detection and track user behavior, raising security and privacy concerns, including potential fingerprinting.
Cascading Style Sheets (CSS) is a stylesheet language used to control the appearance and layout of web pages. It defines styles for HTML elements, including colors, fonts, spacing, and positioning. CSS helps separate content from design, allowing developers to create visually appealing and responsive websites. It also supports animations and themes and works alongside HTML and JavaScript to enhance web experiences.
“The features available in CSS allow attackers and spammers to track users’ actions and preferences, even though several features related to dynamic content (e.g., JavaScript) are restricted in email clients compared to web browsers. In what follows, we provide examples of CSS abuse we’ve identified in the wild for both evading detection and tracking users.” reads the advisory published by Cisco Talos. “These examples have all been observed from the second half of 2024 up until February 2025.”
Threat actors exploit HTML and CSS features to hide the content in emails, evading detection. Using CSS properties like text-indent, they conceal phishing text from victims while bypassing security parsers.
Experts observed attackers setting the text-indent property to -9999px, moving the text far out of the visible area when the email is opened in an email client. Attackers also set the font-size property to an extremely small value, making the text virtually invisible to recipients on most screens.
Additionally, experts noted the use of the color transparent to render text invisible by blending it into the background. Threat actors may also use the opacity property to hide portions of content that are relevant.
The following phishing message impersonates the Blue Cross Blue Shield organization.
“A close inspection of the HTML source of the above email reveals multiple attempts to conceal content, both in the body of the email and in the email’s preheader.” continues the report.” “the attacker has set the opacity property of CSS to zero, making the element fully transparent and invisible. Note that this preheader text is kept hidden by relying on multiple CSS properties, including color, height, max-height, and max-width. Additionally, the mso-hide property is set to all to make the preheader invisible in Outlook email clients as well. Also, note that the invisible preheader text is completely irrelevant and appears benign (e.g., “FOUR yummy soup recipes just for you!”) to make it appear less suspicious to spam filters.”
Talos warned that threat actors can also track user behavior and conduct fingerprinting attacks by using the @media at-rule. Using this trick, they can gather data on recipients’ font and color preferences, language settings, and actions like viewing or printing emails. Spamers can also use CSS properties to fingerprint users, their email clients, and systems by detecting screen size, resolution, and color depth.
Advanced filtering mechanisms can help detect hidden text salting and content concealment in emails, while analyzing visual characteristics can improve detection of image-based threats. For privacy, email privacy proxies can rewrite emails to enhance security by converting top-level CSS rules into style attributes and embedding remote resources as data URLs, preventing tracking and data exfiltration.
“CSS provides functionalities, rules, and properties that could be abused by attackers to evade spam filters and detection engines, as well as to track or fingerprint users and their devices. As such, both the security and privacy of your organization and business are at risk. In what follows, we provide a few mitigation solutions for each domain.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, phishing)
