HTML Tag Obfuscation

21 July 2025

By Rikesh Vekaria and Mimecast Threat Research Team

Campaign Overview

The Mimecast Threat Research team has identified a sophisticated HTML obfuscation technique employed by threat actors to evade email security detection systems. This method leverages the legitimate HTML <bdo> (Bi-Directional Override) and <cite> tags in combination with CSS styling to hide malicious content within seemingly legitimate email communications. This obfuscation technique represents an evolution in email-based evasion methods, demonstrating threat actors' continued adaptation to security controls. By exploiting the legitimate functionality of HTML tags designed for text formatting and citation purposes, attackers can embed hidden content that bypasses traditional content-based detection while maintaining the visual appearance of legitimate communications.

Technical Analysis

BDO Tag Exploitation

The <bdo> tag is traditionally designed to control text direction in HTML documents, specifically handling right-to-left (RTL) and left-to-right (LTR) text formatting through the dir attribute. However, threat actors are exploiting this tag without proper directional values, instead using it as a container for obfuscated content.

Malicious Implementation:

In this example, the legitimate text "© 2025 Microsoft." is obfuscated by inserting random alphanumeric characters within BDO tags, breaking up the readable content while maintaining the overall structure.

CITE Tag Exploitation

The <cite> tag is intended to mark up the title of creative works and is typically displayed in italics by default. Threat actors are repurposing this tag to hide obfuscated content within legitimate-appearing text.

Malicious Implementation:

Similar to the BDO technique, this method fragments the "© 2025 Microsoft." text by inserting random characters within CITE tags, creating visual obfuscation while maintaining the underlying message structure.

CSS-Based Invisibility

The critical component of this obfuscation technique relies on CSS styling that renders the malicious content invisible to end users while preserving its presence in the HTML source code.

BDO Tag Styling:

CITE Tag Styling:

The font-size: 0 declaration ensures that regardless of the font family specified, the obfuscated text remains invisible when rendered by email clients. This technique effectively hides the malicious content from users while potentially evading security systems that analyze visible content.

Below is an example of a campaign using this technique, left side showing the raw html and the right-hand side when the email is rendered in Outlook.

Evasion Methodology

This technique demonstrates several sophisticated evasion characteristics:

1. Legitimate Tag Abuse: By using standard HTML tags for unintended purposes, the technique exploits the gap between tag functionality and security detection logic.
2. CSS Manipulation: The combination of HTML structure with CSS styling creates a multi-layered obfuscation that separates content from presentation.
3. Client-Side Rendering: The obfuscation becomes effective only when processed by email clients, making it difficult for security systems to analyze the final rendered output.
4. Brand Impersonation: The technique specifically targets recognizable brand elements like Microsoft copyright notices, potentially lending credibility to malicious communications..

The evolution of HTML-based obfuscation techniques demonstrates the importance of maintaining advanced detection capabilities that can analyze both the technical structure and visual presentation of email content. Organizations should ensure their security controls can effectively identify and mitigate these sophisticated evasion methods.

Mimecast Protection

Mimecast has implemented advanced HTML analysis capabilities to detect CSS-based obfuscation techniques, including those utilizing BDO and CITE tags. Our detection systems analyze both the HTML structure and the CSS styling to identify content that may be hidden from users while remaining present in the source code.

Targets:

This technique has been observed across various industries and geographic regions, with particular focus on campaigns impersonating trusted technology brands and services.

Indicators of Compromise (IOCs)

HTML Patterns:

• Use of BDO tags without proper dir attributes
• CITE tags containing random alphanumeric characters
• CSS styling with font-size: 0 applied to BDO or CITE tags
• Fragmented brand names or copyright notices within these tags

CSS Indicators:

• font-size: 0 declarations targeting BDO or CITE elements
• Combination of font-family and font-style properties with zero font size
• Style declarations that render content invisible

Recommendations

Security Awareness:

• Educate users about the importance of verifying sender authenticity beyond visual appearance.
• Train security teams to recognize HTML obfuscation techniques in manual analysis.
• Implement reporting mechanisms for suspicious emails that appear legitimate but contain unusual formatting

Proactive Threat Hunting:

• Search email logs for HTML content containing BDO or CITE tags with alphanumeric content.
• Monitor for CSS styling that sets font-size to 0 for specific HTML elements.
• Analyze emails containing fragmented brand names or copyright notices.