A new email exploit, called Ropemaker has been discovered by security researchers at email and cloud security firm Mimecast, the exploit enables an attacker to modify the content in an email—after it’s been sent to the recipient and made it through the necessary filters.
According to researchers:
“The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.”
Ropemaker stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky, the idea of the exploit is that an attacker sends an email in HTML format to a victim, but rather than using inline CSS (cascading style sheets) code to format and color the text, it uses a CSS file loaded from his server.
Since CSS is stored on a remote server, the attacker can modify the file at a later date by changing the content of the CSS file hosted on his server.
“this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users. ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.”