Our HR software company sent us two seemingly identical emails two minutes apart, but the first one appears to have been altered. Both are from the same person, passed SPF/DKIM/DMARC, and were sent from a salesforce IP address with similar Salesforce X-Headers for things like USER and ENTITY ID

But one has a huge amount of code stuffed into the html style tag. I'm not posting the actual code or using actual domains here.

At the beginning of the email's html is the normal css style open tag followed by:

• [data-testid="prism-taboola"], .ninja-recommend-block,
• amp-embed[type="taboola"]
• a list of #counters
• 1000s of hashtags like #BestSponsoredLinks (not a real one)
• 1000s of [dot] something like .scrollmy-ads, (again, fake to be cautious)
• stuff like .banner_ads:not(.textads)
• { display: none !important; } peppered in

Then literally thousands of links like:

• a[href ^=html:/myfakedomain.xx] (I malformed this on purpose, but I think you'll get the idea)

A disproportionate number of them are to sex sites, gold sellers, survivalist supply companies,

All I can think of is that there's some code I'm not seeing to show popups to the various links, or it has something to do with trying to up these sites' ranking in Google.

Has anyone seen this? I couldn't find anything specific to hiding this in the style tag or in an email