Cisco Talos observed threat actors abusing Cascading Style Sheets (CSS) to evade detection and track user behavior, raising security and privacy concerns, including potential fingerprinting. Cascading Style Sheets (CSS) is a style sheet language used to control the appearance and layout of web pages. It defines styles for HTML elements, including colors, fonts, spacing, and positioning. CSS helps separate content from design, allowing developers to create visually appealing and responsive websites. It also supports animations and themes and works alongside HTML and JavaScript to enhance web experiences. “The features available in CSS allow attackers and spammers to track users’ actions and preferences, even though several features related to dynamic content (e.g., JavaScript) are restricted in email clients compared to web browsers. In what follows, we provide examples of CSS abuse we’ve identified in the wild for both evading detection and tracking users,” reads the advisory published by Cisco Talos. “These examples have all been observed from the second half of 2024 until February 2025.”
See: https://redskyalliance.org/intel-reports/intelligence-report-weekly-data-and-threats-06-22-2023
Threat actors exploit HTML and CSS features to hide the content in emails, evading detection. Using CSS properties like text-indent, they conceal phishing text from victims while bypassing security parsers. Experts observed attackers setting the text-indent property to -9999px, moving the text far out of the visible area when the email is opened in an email client. Attackers also set the font size property to a minimal value, making the text virtually invisible to recipients on most screens. Researchers noted the use of the color transparent to render text invisible by blending it into the background. Threat actors may also use the opacity property to hide relevant portions of content. [1]
“A close inspection of the HTML source of the above email reveals multiple attempts to conceal content, both in the body of the email and in the email’s preheader,” continues the report. “The attacker has set the opacity property of CSS to zero, making the element fully transparent and invisible. Note that this preheader text is kept hidden by relying on multiple CSS properties, including color, height, max height, and max-width. Additionally, the most-hide property is set to make the preheader invisible in Outlook email clients. Also, note that the invisible preheader text is completely irrelevant and appears benign (e.g., “FOUR yummy soup recipes just for you!”) to make it appear less suspicious to spam filters.”
Talos warned that threat actors can also track user behavior and conduct fingerprinting attacks by using the @media at-rule. Using this trick, they can gather data on recipients’ font and color preferences, language settings, and actions like viewing or printing emails. Spammers can also use CSS properties to fingerprint users, email clients, and systems by detecting screen size, resolution, and color depth. Advanced filtering mechanisms can help detect hidden text salting and content concealment in emails, while analyzing visual characteristics can improve the detection of image-based threats. For privacy, email privacy proxies can rewrite emails to enhance security by converting top-level CSS rules into style attributes and embedding remote resources as data URLs, preventing tracking and data exfiltration.
“CSS provides functionalities, rules, and properties that attackers could abuse to evade spam filters and detection engines and track or fingerprint users and their devices. Your organization's and business's security and privacy are at risk. In what follows, we provide a few mitigation solutions for each domain.” concludes the report.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
© 2025 Red Sky Alliance Corporation. All rights reserved.
Comments