Styled to Steal: The Overlooked Attack Surface in Email Clients

Summary

Email is still a widely used communication medium, particularly in professional contexts. Standards such as OpenPGP and S/MIME offer encryption while maintaining compatibility with existing infrastructure. Within the end-to-end encryption threat model, email servers are untrusted, which creates opportunities for attackers to inject malicious HTML or CSS into encrypted emails---either live during email transport, or by re-sending leaked emails. In this paper, we show that isolation mechanisms in widely used email client software remain inadequate. We present a novel scriptless attack that extracts arbitrary plaintext from encrypted emails using only CSS without requiring JavaScript. Once the email is opened, three benign-looking CSS features — container queries, lazy-loaded web fonts, and contextual font ligatures — map each character of the ciphertext-carried plaintext to a unique network request to the attacker's server. This attack technique can incrementally reconstruct the entire plaintext in a single rendering pass, with no JavaScript, no visual artifacts, and, depending on the configuration, even without any user interaction. The technique differs considerably from prior work: it achieves complete plaintext recovery without script execution, evades state-of-the-art sanitizers such as DOMPurify, and succeeds across multiple browser engines. We demonstrate the severity of this threat on Mozilla Thunderbird and KMail, with end-to-end attacks successfully exfiltrating PGP-encrypted text from an email rendered in the latest version of the respective clients. Furthermore, we show that our technique affects code integrity tools and sanitization techniques reused in software stacks, including Meta's Code Verify. Our findings led to practical mitigations in Thunderbird, as well as a revision of Meta's threat model to include CSS. These results underline the need for robust content isolation in email client software and challenge the assumption that existing mitigations fully prevent encrypted content leakage.