A new email exploit called ROPEMAKER can result in a malicious actor changing the content of an email already in your in-box says Matthew Gardiner, Senior Product Marketing Manager, Mimecast.
Most people live under the assumption that email is immutable once delivered, like a physical letter. But a new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing.
Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.
Described in more detail in a recently published security advisory, Mimecast has been able to add a defence against this exploit for its customers and also provide security recommendations that can be considered by non-customers to safeguard their email from this email exploit.
So what is ROPEMAKER?
The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.
Clearly, giving attackers remote control over any aspect of ones’ applications or infrastructure is a bad thing. As is described in more depth in the ROPEMAKER Security Advisory, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users. ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.