Styled to Steal: The Overlooked Attack Surface in Email Clients
Leon Trampert, Daniel Weber, Christian Rossow, Michael Schwarz
CCS
Taipei,
Taiwan,
October 13-17
2025
Email is still a widely used communication medium, particularly in professional contexts. Standards such as OpenPGP and S/MIME offer encryption while maintaining compatibility with existing infrastructure. Within the end-to-end encryption threat model, email servers are untrusted, which creates opportunities for attackers to inject malicious HTML or CSS into encrypted emails. Although the 2018 Efail attack led to substantial mitigations against direct content exfiltration in such mixed-context scenarios, it remains unclear whether these measures in email clients sufficiently protect encrypted content from more subtle, software-level rendering attacks. In this paper, we show that isolation mechanisms in widely used email client software remain inadequate. We present a novel scriptless attack that extracts arbitrary plaintext from encrypted emails using only CSS without requiring JavaScript. Our approach leverages container queries, lazy-loading fonts, and adaptive font ligatures to leak sensitive information without visual clues for the victim. We can incrementally extract unknown textual data from mixed-context emails. This approach undermines the security of email encryption by enabling text exfiltration from encrypted emails in a single shot. We demonstrate the severity of this threat through an end-to-end attack, successfully exfiltrating PGP-encrypted text from an email rendered in the latest version of Mozilla Thunderbird. Furthermore, we show that our technique affects code integrity tools and sanitization techniques reused in software stacks, including Meta's Code Verify. Our findings led to practical mitigations in Thunderbird, as well as a revision of Meta's threat model to include CSS. These results underline the need for robust content isolation in email client software and challenge the assumption that existing mitigations fully prevent encrypted content leakage.