Cascading Style Sheets (CSS) enable visual customization of HTML emails. However, this flexibility comes at a cost: in this talk, we reveal how CSS creates serious privacy and security vulnerabilities. We demonstrate that CSS facilitates fingerprinting and tracking in HTML emails, even undermining the privacy protections offered by email clients that use proxy services to access remote resources. These tracking capabilities enable targeted phishing and spam campaigns.

More critically, we present a novel scriptless attack that exploits container queries, lazy-loading fonts, and adaptive ligatures to exfiltrate arbitrary plaintext from PGP-encrypted emails. The attack targets mixed-context scenarios—cases where email clients render both trusted (encrypted) and untrusted (attacker-controlled) HTML content within the same message view. We successfully demonstrate end-to-end exfiltration of PGP-encrypted text from Thunderbird, along with two other major email clients that permit such content mixing.

These findings expose fundamental gaps in current isolation mechanisms, demonstrating that post-Efail mitigations remain insufficient against CSS-based attacks.