New Phishing Method: How Cybercriminals Use CSS to Bypass Spam Filters and Track Users

Recently, Cisco Talos experts identified a new phishing technique that uses CSS instead of traditional JavaScript. This method allows cybercriminals to bypass spam filters and track users without detection, making it harder for standard security systems to block.

How It Works

Cybercriminals embed specific CSS styles into HTML emails, which can:

• Hide malicious content using properties like text-indent: -9999px, opacity: 0, and position: absolute with negative coordinates.
• Track user behavior using @media queries, which detect changes in the window size or other interactions with the email.

When these changes occur (e.g., opening the email on a mobile device), the CSS code triggers hidden requests to the attacker’s server, sending data about the victim’s actions.

Example of a Tracker

Here’s an example of how this type of tracker is implemented in the code:

This code activates when the email is opened on a mobile device (where the screen width is less than 600px), and a hidden request is made to the attacker’s server. This can track actions like opening the email or interacting with its content.

Why It Works

Since this method is based purely on HTML and CSS, it does not rely on JavaScript, which makes it invisible to most security filters that block scripts. Spam filters typically don’t examine these types of styles in detail, allowing attackers to hide malicious code in ways that are not easily detected. The content can be hidden in multiple ways, such as:

• Using font-size: 0 to make text invisible.
• visibility: hidden to hide elements without removing them from the document flow.
• clip-path to hide parts of elements while keeping the structure intact.

This method works completely without external scripts, making it much harder for traditional script-blocking tools to catch it.

How to Protect Yourself

1. Enhance Email Filtering and Analysis:

? Implement advanced filters that analyze not only the visible content of emails but also the CSS styles and @media queries.

? Update filters regularly based on new vulnerabilities to ensure protection against such attacks.

2. Block Suspicious Requests:

? Block requests to suspicious domains, especially those not associated with trusted sources.

? Track and prevent any background requests made by hidden elements in emails.

3. User Training:

? Educate users on recognizing suspicious emails and avoiding clicking on links from unknown sources.

? Make users aware that emails can contain hidden malicious elements, even if they look legitimate at first glance.

Why This Is a Threat

Although this phishing method has not yet become widespread, it presents a powerful and flexible tool that can bypass current defenses. It can be especially dangerous for corporate environments, where script-blocking protections are often in place, but hidden threats like this are harder to detect. In the future, this technique could become more common if not addressed.

Impact on Security

To defend against these threats, organizations need to take a multi-layered approach to security. At Hyand Group , we continuously monitor new threats and adopt cutting-edge solutions to minimize risks for our users and clients. By staying ahead of emerging threats, we can better protect against potential attacks like these.

As this method is still emerging, it is crucial to be prepared for its potential widespread use.