Exploring Content Concealment in Email

TL;DR

This study focuses on how attackers exploit HTML and CSS in emails to conceal arbitrary content, allowing for multiple permutations of a malicious email, some of which may evade detection by email filters.

Abstract

The never-ending barrage of malicious emails, such as spam and phishing, is of constant concern for users, who rely on countermeasures such as email filters to keep the intended recipient safe. Modern email filters, one of our few defence mechanisms against malicious emails, are often circumvented by sophisticated attackers. This study focuses on how attackers exploit HTML and CSS in emails to conceal arbitrary content, allowing for multiple permutations of a malicious email, some of which may evade detection by email filters. This concealed content remains undetected by the recipient, presenting a serious security risk. Our research involved developing and applying an email sampling and analysis procedure to a large-scale dataset of unsolicited emails. We then identify the sub-types of concealment attackers use to conceal content and the HTML and CSS tricks employed.

Figures (8)

• Figure 1: Sankey diagram highlighting the quantities of emails filtered out during each preprocessing stage of the methodology.
• Figure 2: Grouped bar chart showing the number of emails where content concealment was detected by Jaccard index in our sample.
• Figure 3: Stacked histogram showing the number of emails where content concealment was detected by year in our sample.
• Figure 4: Grouped bar chart showing the number of emails where content concealment was detected by HTML Length in our sample.
• Figure 5: Venn diagram illustrating the distribution of content concealment sub-types used per email. The diagram shows the overlap between the three main sub-types. The value in each region represents the number of emails that use each concealment sub-type or combination of sub-types.