Cisco Talos researchers have identified new techniques leveraging Cascading Style Sheets (CSS) to evade spam filters and monitor user activity. These methods enable malicious content obfuscation, making detection more challenging, while also allowing threat actors to gather system information and user preferences. Although CSS is primarily used for styling HTML content, its properties can be manipulated to conceal text and track users covertly.
One method of misuse involves the text-indent property, which shifts text outside the visible area, effectively rendering it invisible to the user. Additionally, attackers can minimize font size or set text color to transparent, further complicating detection. Another widely used tactic relies on opacity: 0, where the text remains present in the email source code but is not visibly displayed on-screen. Cybercriminals exploit this technique to embed hidden text in email headers, such as preheaders, making them undetectable to the recipient while still influencing spam filters.
A more sophisticated evasion technique involves HTML Smuggling, where malicious email attachments contain randomized phrases concealed using CSS. Attackers achieve this by employing absolute positioning, setting the width and height of text elements to zero, and utilizing clip-path properties to restrict the visible area. This ensures that hidden elements exist within the email code but remain imperceptible to users.
Beyond bypassing email security measures, threat actors also leverage CSS for covert user tracking. Since various email clients support different CSS properties, attackers can determine system characteristics and user preferences.
For instance:
- Pixel trackers register whether an email has been opened.
- Unique URLs collect data on interface color schemes, operating systems, and email clients.
Another method involves detecting the recipient’s operating system based on available fonts. If the email references Segoe UI, it strongly suggests that the recipient is using Windows. Conversely, Helvetica Neue is predominantly found on macOS. Attackers can manipulate content visibility based on the detected OS, displaying targeted messages only to specific users.
Additionally, cybercriminals load different images depending on the recipient’s environment. The server logs which image is requested, allowing attackers to infer the user’s operating system and device specifications.
To counter these threats, Cisco Talos recommends implementing security measures such as:
- Advanced email filters capable of analyzing hidden elements within messages.
- Email proxy services that modify content before delivery, neutralizing tracking attempts.
- Disabling external image loading in email clients, reducing the risk of data leaks.
- Machine learning-based security solutions that detect malicious techniques and assess risks for enterprises.
By enhancing email security protocols and adopting proactive defense mechanisms, organizations can effectively mitigate the risks posed by CSS-based threats while safeguarding user privacy.
