A common belief is that email is immutable once delivered, like a physical letter. But a new exploit turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing.
Mimecast has revealed the Ropemaker exploit, which a malicious actor can use to change the displayed content in an email at will.
For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.
Mimecast has been able to add a defense against this exploit for our customers and also provide security recommendations that can be considered by non-customers to safeguard their email from this email exploit.
The origin of Ropemaker lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.
This remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users.
Ropemaker could be leveraged in ways that are limited only by the creativity of the threat actors.
To date, Mimecast has not seen Ropemaker exploited in the wild. However, it has been shown to work on most popular email clients and online email services.