Criminals are using CSS to get around filters and track email usage
Hackers are building on their salting technique, experts warn

- Cisco Talos says hackers are abusing CSS in emails
- The stylesheet language is used to hide content, track people's behavior, and more
- Researchers suggest IT teams adopt advanced filtering techniques
Cybercriminals are using CSS in emails to track their victims, learn more about them, and redirect them to phishing pages, experts have warned.
Cybersecurity researchers at Cisco Talos outlined how CSS (Cascading Style Sheets) is used in emails to control the design, layout, and formatting of email content. Businesses use it not only to make the emails look better, but also to keep the layout consistent across different email clients. There is nothing inherently malicious about CSS but, as is the case with many other legitimate tools, it is being abused in attacks.
"The features available in CSS allow attackers and spammers to track users' actions and preferences, even though several features related to dynamic content (e.g., JavaScript) are restricted in email clients compared to web browsers," a Cisco Talos researcher said in a report.
Advanced filtering techniques
Through CSS, cybercriminals can hide content in plain sight, thus bypassing email security solutions. They can also use it to redirect people to phishing pages, it was said. The tool can be used to monitor user behavior which, in turn, can lead to spear-phishing or fingerprinting attacks.
"This abuse can range from identifying recipients' font and color scheme preferences and client language to even tracking their actions (e.g., viewing or printing emails)," they said. "CSS provides a wide range of rules and properties that can help spammers and threat actors fingerprint users, their webmail or email client, and their system. For example, the media at-rule can detect certain attributes of a user's environment, including screen size, resolution, and color depth."
Cisco Talos said the new campaign builds upon a “hidden text ‘salting’” one they uncovered in late January 2025.
To tackle this threat , the researchers suggested IT teams adopt advanced filtering techniques that scan the structure of HTML emails, rather than just their contents. An email security solution could, thus, look for extreme use of inline styles or CSS properties such as “visibility: hidden”. Deploying AI-powered defenses is also recommended.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via The Hacker News
You might also like
- US, UK crack down on Russian bulletproof hosting service ZServers for LockBit partnership
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.

















