A new email exploit, dubbed Ropemaker, allows a malicious actor to edit the content in an email—after it’s been delivered to the recipient and made it through the necessary filters.
For instance, an attacker could swap a benign URL with a malicious one in an email already delivered to an inbox, or edit any text in the body of an email whenever they want—all without direct access to that inbox.
First uncovered by Mimecast’s research team and authored by Francisco Ribeiro, a successful exploit could even undermine those that use S/MIME or PGP for digital signing.
“The origin of Ropemaker lies at the intersection of email and web technologies, more specifically Cascading Style Sheets (CSS) used with HTML,” explained Matthew Gardiner, a spokesperson at Mimecast, in a blog. “While the use of these web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.”
He added, “Ropemaker could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.”
Ribeiro told us via email that "This attack is not just about malware and malicious URLs but more about voiding non repudiation."
Brian Robison, senior director of security technology at Cylance, said that there are aspects of the threat that are not necessarily new, but should nonetheless be on the radar for any organization.
"This advisory simply highlights the fact that if you receive an email with a URL embedded into that HTML email, an attacker COULD change the actual destination of that URL to be something not intended,” he explained in via email. “Modern email applications render HTML as if it were a webpage using CSS to make the email ‘look’ nice. This is currently standard practice within every legitimate marketing organization in the world.”
He added, “Phishing emails have been taking advantage of this for some time, including linking to the original source to make it look more legit. Example: You get an email from your bank; the email pulls the headers and logos directly from the bank’s website; then the button is actually linked to different site entirely—like badbank dot com, or something where you are tricked into clicking on that link that and exposing your credentials on the fake banking site.”
The technique will work on most popular email clients and online email services, though webmail services are immune. Fortunately, Mimecast has yet to see Ropemaker exploited in the wild.