Researchers warn that email attackers are abusing common web styling tools to bypass detection and monitor recipients.
Researchers have discovered that cybercriminals are misusing Cascading Style Sheets (CSS) to bypass spam filters and gain visibility into how recipients interact with email content. Unlike traditional email threats that rely on scripts or attachments, these tactics exploit HTML and CSS formatting to conceal malicious intent while evading detection.
The research points to a growing trend in which attackers embed invisible or irrelevant text in emails using CSS properties. These elements are not visible to recipients but interfere with the filters that scan for suspicious content, allowing phishing emails to slip through.
Attackers are using properties like text-indent and opacity to hide content that may appear benign or blank to human readers but is flagged by security software. In some cases, emails are crafted to redirect recipients to phishing websites, using these CSS tricks to avoid being flagged or quarantined.
More concerning is the use of the @media at-rule and other CSS techniques for behavioral tracking. These allow attackers to passively collect data about a user’s environment, including screen resolution, email client preferences, language settings, and actions like opening or printing emails without the use of JavaScript or external trackers.
This builds on prior findings from 2024, where “hidden text salting” became a method of inserting misleading or non-relevant content into emails to confuse detection engines while staying invisible to the user.
Cisco Talos researcher Omid Mirzaei noted that the "CSS provides a wide range of rules and properties that can help spammers and threat actors fingerprint users, their webmail or email client, and their system." He stated that even though email clients restrict dynamic content like JavaScript, CSS remains usable and potentially dangerous in this context.
The report urges email administrators to strengthen filtering mechanisms and implement privacy protections such as email proxies to limit information exposure.
Email-based threats are increasingly relying on design-focused elements rather than overt malicious code. Tools like CSS, originally used for formatting and layout, are now being repurposed to support tracking and phishing techniques that appear visually harmless. These tactics can bypass traditional filters and affect user privacy more quietly. As this approach becomes more common, closer inspection of design elements in email, especially CSS behavior, may be needed to improve detection across both enterprise and personal accounts.
CSS is widely allowed in emails to enable formatting and readability across devices. Unlike JavaScript, which is blocked for security reasons, CSS is considered safe, but attackers are now pushing its boundaries.
Hidden text salting involves adding meaningless or unrelated text elements to an email in a way that is invisible to users but visible to spam filters, confusing the filtering process and allowing malicious messages through.
Certain CSS rules, like @media, can detect characteristics of the user’s device or email client (e.g., screen size, color preferences). Combined with email analytics tools, this can help attackers infer how the email is being accessed.
No. Some email clients render CSS more fully than others, making them more susceptible to these techniques. Web-based email platforms are particularly vulnerable to style-based exploits.
Users can disable remote content loading in their email settings, avoid clicking on unexpected links, and consider using privacy-focused email clients or extensions that strip out advanced styling and tracking elements.