In 2024 and early 2025, security researchers uncovered a worrying trend where hackers exploit Cascading Style Sheets (CSS) to bypass spam filters and secretly track user actions. By embedding hidden text or utilizing CSS properties, attackers can evade detection by email security systems. Cisco Talos discovered a method called “hidden text salting,” where invisible content is added using the text-indent property, causing the malicious content to be harder for filters to detect. This technique has been widely used in phishing campaigns.
Attackers have also been leveraging the opacity property in CSS to hide text from view but still affect detection mechanisms.
This allows them to hide malicious content within an email, making it invisible to human eyes while still detectable by spam filters. As spam detection systems continue to evolve, threat actors are finding new ways to bypass them using seemingly harmless properties like text-indent and opacity to obscure their tracks and avoid detection.
Another tactic identified by researchers involves the use of CSS to covertly track user behaviors without relying on JavaScript.
Phishing emails use CSS media queries to collect data on when an email is opened, whether it’s printed, and which email client is being used. This data can help attackers personalize phishing campaigns and track user actions, including determining device preferences, operating system types, and screen sizes, providing further insight into the user’s behavior.
Security experts recommend advanced email filtering mechanisms and AI-driven detection to combat these evolving threats. Email privacy proxies, which rewrite remote resources and convert CSS rules into style attributes, can help prevent unauthorized tracking. With CSS exploitation techniques growing more sophisticated, organizations are advised to stay vigilant and update their security measures to address these hidden threats effectively.