Intruders employ CSS to produce deceptive phishing messages.
March 17, 2025
Cascading Style Sheets ( CSS) are used by threat actors to evade spam filters and detection tools and monitor users ‘ actions and preferences.  ,
Problems with security and privacy, including prospective fingerprinting, were raised when Cisco Talos observed threat actors using Cascading Style Sheets ( CSS) to escape recognition and track customer behavior.
Cascading Style Sheets ( CSS) is a stylesheet language that governs website design and appearance. It specifies the designs for HTML elements, including setting, placement, fonts, and colors. CSS assists in separating content from design, allowing developers to create websites that are both aesthetically appealing and flexible. It also supports themes and animations, and it integrates with HTML and JavaScript to improve online experiences.
Although many features related to dynamic content ( such as JavaScript ), are restricted in email clients as opposed to web sites, the features available in CSS allow adversaries and marketers to track people ‘ activities and interests. In what follows, we provide examples of CSS mistreatment that we’ve seen in the wild to avoid detection and track people. reads the Cisco Talos expert published. These instances can be seen from February 2025 through the second quarter of 2024.
Threat actors exploit HTML and CSS features to hide the content in emails, evading detection. Using CSS properties like text-indent, they conceal phishing text from victims while bypassing security parsers.
Specialists observed attackers changing the text-indent house to -9999px, which causes the text to be moved far outside the apparent area when an email is opened in an email client. Additionally, attackers set the font-size home to a very low value, rendering the text on most screens almost unknown to viewers.
Moreover, experts noted that the clear color was used to blend text into the background to make it invisible. Additionally, threat actors may use the opacity home to conceal relevant content.
The following hacking information purports to be from the Blue Cross Blue Shield business.
” A careful examination of the HTML source of the above message reveals numerous attempts to suppress content, both in the senders system and in its preheader.” continues the statement.”” The CSS component is completely transparent and invisible because the perpetrator has omitted the , opacity  property. Note that the preheader wording is kept hidden by using a number of CSS properties, including , shade,  , elevation,  , max-height, and , max-width. Also, the property , mso-hide , is set to all make the preheader unknown in Outlook email customers as well. Also, take note of the invisible preheader text, which appears to be benign ( for instance,” FOUR delectable soup recipes just for you” ). to make it seem less obtrusive to spam filters.
Talos warned that threat actors can use the @media at-rule to observe user behavior and carry out fingerprinting attacks. With this strategy, they can gather information about recipients ‘ preferences for style and color, language usage, and actions like reading or printing emails. Spammers can also use CSS attributes to identify users, their contact clients, and systems by determining screen resolution, quality, and color depth.
Advanced filtering techniques can increase the recognition of image-based threats, as well as detecting hidden words salting and content concealment in emails. Internet privacy proxies can update emails to improve stability by converting top-level CSS rules into style attributes and encoding distant resources as data URLs, preventing tracking and data leaks.
” CSS provides features, principles, and properties that could be abused by hackers to circumvent spam filters and monitoring machines, as well as to monitor or fingerprint people and their products. In this way, both your business and organization ‘ security and privacy are in danger. We provide a few management solutions for each site in the following paragraphs. ” closes the review,” the statement.
Observe me on Twitter at and @nbsp on , and @nbsp on .
( – hacking, phishing)