This is due to something I call #KoboldLetters. By cleverly (mis)using CSS, attackers can display completely different emails to different recipients.
The problems with HTML and CSS in emails have been known for a long time, but the security implications have usually been underestimated or actively downplayed. That's why I wrote an article explaining how HTML emails can be used to deceive recipients into becoming part of an sophisticated #phishing attack.
https://lutrasecurity.com/en/articles/kobold-letters/
Konstantin Weddige /
npub19k…auefl
2024-03-31 12:56:55
in reply to nevent1q…msv0
Author Public Key
npub19kp3zajtv9l3e7n5hdkzw8v7j9u973w4ejx3w2ewa3kqzpdvz2zsjaueflPublished at
2024-03-31 12:56:55Event JSON
{
"id": "34765fc4a93814a36225440aff865ee673bfba4e5e73e9623e007513184861e6",
"pubkey": "2d8311764b617f1cfa74bb6c271d9e91785f45d5cc8d172b2eec6c0105ac1285",
"created_at": 1711889815,
"kind": 1,
"tags": [
[
"e",
"937afec3fe47c3cfbd7b430697219574d8d5648ede574cb880f4fbd3ec211871",
"",
"root"
],
[
"p",
"2d8311764b617f1cfa74bb6c271d9e91785f45d5cc8d172b2eec6c0105ac1285"
],
[
"t",
"phishing"
],
[
"e",
"cb71c878e5c5660e397dad54b68d1f4b6ab6121f6ad72fcf5090d2ae6a7445ce",
"",
"reply"
],
[
"t",
"koboldletters"
],
[
"proxy",
"https://gruene.social/users/weddige/statuses/112190410951586251",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://gruene.social/users/weddige/statuses/112190410951586251",
"pink.momostr"
]
],
"content": "This is due to something I call #KoboldLetters. By cleverly (mis)using CSS, attackers can display completely different emails to different recipients.\n\nThe problems with HTML and CSS in emails have been known for a long time, but the security implications have usually been underestimated or actively downplayed. That's why I wrote an article explaining how HTML emails can be used to deceive recipients into becoming part of an sophisticated #phishing attack.\n\nhttps://lutrasecurity.com/en/articles/kobold-letters/",
"sig": "b45ac7d2e7b65a4f1a409818dee8e4a71eee70447d8425d9694388a645696f252479a6c5ba126f05c4be7e73276d79cdd564538bf88baa2fff8adf3be7226114"
}