Experts from Cisco Talos have uncovered methods of abusing cascading style sheets (CSS) to circumvent spam filters and track user actions. This technique allows malicious actors to conceal harmful content, making it difficult to detect, while also gathering information about the victim’s system and preferences. Although CSS is primarily used for formatting HTML content, its properties can be exploited to hide text and collect user data.
One tactic involves utilizing Text-indent to move text outside the visible area, rendering it invisible. Text size can be reduced and color can be made transparent to further evade detection. An alternative approach involves setting Opacity: 0, keeping the text in the code but not displaying it on the screen. Attackers can embed additional information in the letter template, such as hiding a pre-collection form using CSS, allowing them to add text that bypasses spam filters.
Another evasion technique is HTML Smuggling, where malicious content contains hidden phrases disguised using CSS. Text is positioned absolutely, with width and height set to zero, and Clip-Path used to limit the visible area. This results in hidden elements within the code that are not visible to the user.
In addition to evading protection measures, attackers leverage CSS for covert user tracking. Different email clients support different CSS properties, enabling the identification of user preferences and device characteristics. Pixel trackers can record email opens, while unique URLs collect data on interface color schemes, operating systems, and email clients.
One method of determining the operating system is through embedded fonts. For example, indicating the SEGOE UI font may suggest a Windows user, while Helvetica Neue is more common on MacOS. This allows attackers to tailor content display based on the recipient’s system. Loading different images depending on the user environment is another tactic for system identification.
To mitigate these attacks, Cisco Talos experts recommend utilizing filters to analyze hidden elements in emails. Employing email proxies that modify content before delivery can prevent tracking. Opting for in-line image loading over external links can also help prevent data leakage. Sophisticated solutions incorporating machine learning can aid in identifying malicious techniques and assessing risks for businesses.