- Cisco Talos says hackers are abusing CSS in emails
- The stylesheet language is used to hide content, track people's behavior, and more
- Researchers suggest IT teams adopt advanced filtering techniques
Cybercriminals are using CSS in emails to track their victims, learn more about them, and redirect them to phishing pages, experts have warned.
Cybersecurity researchers at Cisco Talos outlined how CSS (Cascading Style Sheets) is used in emails to control the design, layout, and formatting of email content. Businesses use it not only to make the emails look better, but also to keep the layout consistent across different email clients. There is nothing inherently malicious about CSS but, as is the case with many other legitimate tools, it is being abused in attacks.
"The features available in CSS allow attackers and spammers to track users' actions and preferences, even though several features related to dynamic content (e.g., JavaScript) are restricted in email clients compared to web browsers," a Cisco Talos researcher said in a report.
Advanced filtering techniques
Through CSS, cybercriminals can hide content in plain sight, thus bypassing email security solutions. They can also use it to redirect people to phishing pages, it was said. The tool can be used to monitor user behavior which, in turn, can lead to spear-phishing or fingerprinting attacks.
"This abuse can range from identifying recipients' font and color scheme preferences and client language to even tracking their actions (e.g., viewing or printing emails)," they said. "CSS provides a wide range of rules and properties that can help spammers and threat actors fingerprint users, their webmail or email client, and their system. For example, the media at-rule can detect certain attributes of a user's environment, including screen size, resolution, and color depth."
Cisco Talos said the new campaign builds upon a “hidden text ‘salting’” one they uncovered in late January 2025.
To tackle this threat , the researchers suggested IT teams adopt advanced filtering techniques that scan the structure of HTML emails, rather than just their contents. An email security solution could, thus, look for extreme use of inline styles or CSS properties such as “visibility: hidden”. Deploying AI-powered defenses is also recommended.
Via The Hacker News
You might also like
- US, UK crack down on Russian bulletproof hosting service ZServers for LockBit partnership
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
