Criminals are using CSS to get around filters and track email usage

Close up of a person touching an email icon.
Image Credit: Pixabay (Image credit: Geralt / Pixabay)

  • Cisco Talos says hackers are abusing CSS in emails
  • The stylesheet language is used to hide content, track people's behavior, and more
  • Researchers suggest IT teams adopt advanced filtering techniques

Cybercriminals are using CSS in emails to track their victims, learn more about them, and redirect them to phishing pages, experts have warned.

Cybersecurity researchers at Cisco Talos outlined how CSS (Cascading Style Sheets) is used in emails to control the design, layout, and formatting of email content. Businesses use it not only to make the emails look better, but also to keep the layout consistent across different email clients. There is nothing inherently malicious about CSS but, as is the case with many other legitimate tools, it is being abused in attacks.

"The features available in CSS allow attackers and spammers to track users' actions and preferences, even though several features related to dynamic content (e.g., JavaScript) are restricted in email clients compared to web browsers," a Cisco Talos researcher said in a report.

Advanced filtering techniques

Through CSS, cybercriminals can hide content in plain sight, thus bypassing email security solutions. They can also use it to redirect people to phishing pages, it was said. The tool can be used to monitor user behavior which, in turn, can lead to spear-phishing or fingerprinting attacks.

"This abuse can range from identifying recipients' font and color scheme preferences and client language to even tracking their actions (e.g., viewing or printing emails)," they said. "CSS provides a wide range of rules and properties that can help spammers and threat actors fingerprint users, their webmail or email client, and their system. For example, the media at-rule can detect certain attributes of a user's environment, including screen size, resolution, and color depth."

Cisco Talos said the new campaign builds upon a “hidden text ‘salting’” one they uncovered in late January 2025.

To tackle this threat , the researchers suggested IT teams adopt advanced filtering techniques that scan the structure of HTML emails, rather than just their contents. An email security solution could, thus, look for extreme use of inline styles or CSS properties such as “visibility: hidden”. Deploying AI-powered defenses is also recommended.

Via The Hacker News

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
email
Hidden text "salting" is letting hackers craft devious email attacks to evade detection
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
SVG files are offering cybercriminals an easy way in with new phishing attacks
Best email services: image of email with one unread message alert
Over 400 million unwanted and malicious emails were received by businesses in 2024
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
Russian flag on a laptop
Hackers are using Russian domains to launch complex document-based phishing attacks
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
Latest in Security
Close up of a person touching an email icon.
Criminals are using CSS to get around filters and track email usage
DeepSeek on a mobile phone
More US government departments ban controversial AI model DeepSeek
Ransomware
Fortinet firewall bugs are being targeted by LockBit ransomware hackers
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
NordProtect logo
Standalone identity theft protection from Nord Security is now available
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
Ofcom cracks down on UK tech firms, will issue sanctions for illegal content
Latest in News
Lego Pokemon
Pokemon and Lego announce the most electrifying collaboration of all time and I’m going to be first in line
Apple Watch app health
Apple Watch blood pressure monitoring tech revealed in patent
Using Zipped files and folders in Windows 11
Hidden clues suggest Microsoft is moving another part of Windows 11’s Control Panel to the Settings app – and this time it’s mouse options
Core Time 2 and COre 2 Duo watches running Pebble OS
Pebble is back! Pebble founder announces two new smartwatches, and they're basically the opposite of an Apple Watch in every way
an image of the Samsung Galaxy S24 Ultra
Finally! One UI 7 has a release date - here are the Samsung phones that’ll get it first
Google Cloud logo
Google to acquire cloud security platform Wiz in $32 billion deal