Monday, March 17, 2025
HomeCyber Security NewsHackers Use CSS Tricks to Bypass Spam Filters and Monitor Users

Hackers Use CSS Tricks to Bypass Spam Filters and Monitor Users

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity experts have uncovered how hackers use Cascading Style Sheets (CSS) to deceive spam filters and monitor user behavior.

This sophisticated technique allows malicious actors to remain under the radar while gaining insights into user preferences and actions.

The abuse of CSS for both evasion and tracking poses substantial threats to privacy and security.

The Abuse of CSS for Evasion

Threat actors have developed several methods to exploit CSS for evading detection.

One of these methods involves using CSS properties like text-indent and opacity to conceal content within emails.

This “hidden text salting” technique allows attackers to add irrelevant text or code that is not visible to recipients but can trick spam filters into misclassifying the email as legitimate, as per a report by Talos Intelligence.

For instance, by setting the text-indent property to a large negative value (e.g., -9999px), attackers can move unwanted text far beyond the visible area of the email.

This hidden content can include gibberish characters inserted between legitimate words in the email body, making it difficult for detection engines to identify the true intent of the message.

A phishing email with several gibberish characters added in between the original words.
A phishing email with several gibberish characters added in between the original words.

Additionally, setting the font size to an extremely small value or the text color to transparent ensures that the hidden content remains invisible to human eyes.

Another technique involves using the opacity property to make certain elements completely transparent, thus hiding them from view while maintaining their presence in the email code.

The HTML source snippet of the above phishing email
The HTML source snippet of the above phishing email

This approach can be used in both the email body and preheader sections to deceive spam filters and make the email appear less suspicious.

The Abuse of CSS for Tracking

Beyond evading filters, CSS is also being used to track users’ actions and preferences. Email clients’ varying support for CSS rules enables attackers to fingerprint recipients’ systems and hardware.

This can include detecting screen sizes, resolutions, and color schemes, providing valuable information that can be used to tailor phishing campaigns or marketing strategies.

The rendered HTML attachment of the above email.
The rendered HTML attachment of the above email.

An example of this tracking involves using the CSS media at-rule to record when an email is viewed or printed.

The HTML source snippet of the above spam email shows how the recipient’s actions and preferences are tracked.
The HTML source snippet of the above spam email shows how the recipient’s actions and preferences are tracked.

By embedding tracking images or URLs that log specific events (e.g., when the email is opened in a particular client), attackers can gather detailed data about user engagement and preferences.

This information can be used to optimize future campaigns or enhance the effectiveness of targeted attacks.

Furthermore, CSS can be used to fingerprint operating systems based on the availability of specific fonts.

An example HTML code snippet that shows how the CSS font-face at-rule can be used to fingerprint the operating system of the recipient’s device and then show or block specific contents using the availability of certain fonts.
An example HTML code snippet that shows how the CSS font-face at-rule can be used to fingerprint the operating system of the recipient’s device and then show or block specific contents using the availability of certain fonts.

For instance, using a font like Segoe UI, which is common in Windows, and a media rule that applies different styles if Helvetica Neue is available (typically found on macOS), attackers can determine which operating system a recipient is using.

This information can be used to tailor malicious content to the recipient’s environment.

Mitigations

To address these security and privacy threats, several mitigation strategies can be employed:

  1. Advanced Filtering Mechanisms: Implementing advanced email filtering systems that detect hidden content and analyze both text and visual characteristics of emails can help identify malicious messages.
  2. Email Privacy Proxies: Using privacy proxies with email clients can effectively protect user privacy by rewriting CSS rules to prevent tracking and converting remote resources into data URLs. This approach confines styles within the email and prevents the exfiltration of information.
  3. User Awareness: Educating users about these tactics and encouraging vigilance when opening unsolicited emails can also help reduce the risk.

The exploitation of CSS for nefarious purposes underscores the evolving nature of cyber threats.

As attackers continue to innovate, both individuals and organizations must stay informed and implement robust security measures to protect against these sophisticated tactics.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Wazuh SIEM Vulnerability Enables Remote Malicious Code Execution

A critical vulnerability, identified as CVE-2025-24016, has been discovered in the Wazuh Security Information...

Espressif Systems Flaws Allow Hackers to Execute Arbitrary Code

A series of vulnerabilities has been discovered in Espressif Systems' ESP32 devices, specifically affecting...

AI Operator Agents Helping Hackers Generate Malicious Code

Symantec's Threat Hunter Team has demonstrated how AI agents like OpenAI's Operator can now...

BlackLock Ransomware Strikes Over 40 Organizations in Just Two Months

In a concerning escalation of cyber threats, the BlackLock ransomware group has executed a...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Wazuh SIEM Vulnerability Enables Remote Malicious Code Execution

A critical vulnerability, identified as CVE-2025-24016, has been discovered in the Wazuh Security Information...

Espressif Systems Flaws Allow Hackers to Execute Arbitrary Code

A series of vulnerabilities has been discovered in Espressif Systems' ESP32 devices, specifically affecting...

AI Operator Agents Helping Hackers Generate Malicious Code

Symantec's Threat Hunter Team has demonstrated how AI agents like OpenAI's Operator can now...