Full Report
Cascading Style Sheets (CSS) are ever present in modern day web browsing, however its far from their own use. This blog will detail the ways adversaries use CSS in email campaigns for evasion and tracking.
Analysis Summary
# Tool/Technique: Abused Cascading Style Sheets (CSS) for Email Evasion and Tracking
## Overview
Threat actors are abusing Cascading Style Sheets (CSS) features within emails to achieve two primary goals: evading spam filters and detection engines (via "hidden text salting") and tracking user actions and preferences for privacy impact. This technique leverages standard HTML/CSS rendering properties to conceal malicious or irrelevant content from the recipient while still being parsed by security tools upon receipt.
## Technical Details
- Type: Technique
- Platform: Email Clients (HTML rendering)
- Capabilities: Content concealment, evasion of spam filters, and potential user/device fingerprinting/tracking.
- First Seen: Observations cited span from the second half of 2024 up until February 2025.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Relevant when HTML smuggling is involved)
- T1027 - Obfuscated Files or Information
- T1027.006 - Hidden Information
- T1083 - File and Directory Discovery (Implied, if fingerprinting reveals system configuration)
## Functionality
### Core Capabilities
- **Content Concealment (Hidden Text Salting):** Inserting irrelevant or malicious text into the email body or preheader that is rendered invisible to the user but analyzed by spam filters.
- Using `text-indent: -9999px` to move content far off-screen.
- Using `font-size` properties set to extremely small values.
- Setting `color: transparent`.
- Using the `opacity` property set to zero.
- **Preheader Hiding:** Concealing preheader text using multiple restrictive CSS properties (e.g., `opacity: 0`, `height`, `max-height`, `max-width`) and Outlook-specific properties (`mso-hide: all`).
- **HTML Smuggling:** Embedding obfuscated content (e.g., German words/phrases) within HTML attachments designed to trigger redirects or malicious actions upon rendering.
### Advanced Features
- **Fingerprinting/Tracking:** Using various CSS properties and rules (which are processed differently across clients/systems) to fingerprint system and hardware configurations, potentially tracking user actions or identifying preferences, even where JavaScript execution is restricted.
- **Evasion Enhancements:** Combining properties like `text-indent` and `font-size` for robust concealment.
## Indicators of Compromise
(Note: As this is a technique summary, specific IOCs are derived from the techniques described, not a single piece of static malware.)
- File Hashes: N/A (Technique-based)
- File Names: N/A (Technique-based, though HTML attachments may vary)
- Registry Keys: N/A
- Network Indicators: Potential redirection targets if HTML smuggling is successful. (No specific network indicators were provided in the context block.)
- Behavioral Indicators: Excessive use of styling properties intended to hide large amounts of text, particularly combined with extreme numerical values for positioning (`-9999px`), near-zero values for size/opacity, or inclusion of irrelevant, fragmented text structures.
## Associated Threat Actors
Threat actors abusing spam/detection evasion techniques. (No specific named actor groups were attributed in this summary excerpt.)
## Detection Methods
- **Signature-based detection:** Relying on advanced filtering that can specifically look for known patterns of CSS abuse (e.g., specific property combinations used for hiding).
- **Behavioral detection:** Examining the visual characteristics of emails, rather than just text content, to identify anomalies related to hidden elements.
- **YARA rules:** Potentially developable to flag specific combinations of obscure CSS properties used for obfuscation.
## Mitigation Strategies
- **Security:** Rely on advanced filtering mechanisms capable of detecting hidden text salting and content concealment by examining different parts of the email structure.
- **Privacy:** Utilize **email privacy proxies** that perform two key functions:
1. Converting top-level CSS rules into inline style attributes to confine styles.
2. Rewriting remote resources (like tracking pixels) into data URLs to prevent information exfiltration while maintaining email integrity.
- **Defense Solution:** Employing AI-driven detection (Secure Email Threat Defense) using deep learning, machine learning, and NLP to identify harmful techniques and extract business context.
## Related Tools/Techniques
- Hidden Text Salting (previous report reference).
- HTML Smuggling.
- Tracking pixels (undermined by proxy features).