Unseen but Not Unheard: Exposing the Cases of CSS Abuse in Email Threats and Fortifying Defenses

Threat actors are constantly exploring innovative methods to exploit benign technologies and applications in their attacks. One such example is using Living-Off-the-Land Binaries (LOLBins) to deliver malware. Another example is exploiting the features of JavaScript to deliver malware to victims’ devices. Cisco Talos has observed an increase in the number of email threats that exploit the properties of HTML and CSS to include text in different parts that are not visible to the recipients of emails. This technique is often referred to as hidden text salting (or poisoning). We have also seen cases of CSS abuse to track users and fingerprint their systems.

This talk will cover a wide range of examples of CSS abuse in email threats. In particular, we will discuss and demonstrate various techniques we’ve identified in the wild that threat actors have used to conceal content in emails. We will address a number of challenges that this technique may pose to conventional and advanced ML-based defensive solutions. Additionally, we will introduce a novel approach to detecting hidden text salting by leveraging the capabilities of Large Language Models (LLMs). These models show promise in improving the accuracy and reliability of email threat detection, paving the way for stronger cybersecurity defense solutions.