Ropemaker attack allows to transform email in malicious ones after it’s received

Pierluigi Paganini August 24, 2017

The Ropemaker attack allows hackers to turn an apparently harmless email into a malicious one after it has already been delivered to the victim’s inbox?

What about a technique that could allow an attacker to turn an apparently harmless email into a malicious one after it has already been delivered to the victim’s email inbox?
The technique exists and was dubbed Ropemaker (Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky), by Francisco Ribeiro, a security researcher at Mimecast that discovered it.
The attacker uses the Ropemaker attack to remotely modify the content of an email he sent after the email has already been delivered to the recipient. The attacker, for example, can change an embedded URL bypassing spam and security filters.
The Ropemaker attack abuses Cascading Style Sheets (CSS) and Hypertext Markup Language (HTML) that are fundamental parts of the way information is presented on the Internet.

“So what is ROPEMAKER?

The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML.  While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email. ” explained Mimecast’s Senior Product Marketing Manager Matthew Gardiner.

The ROPEMAKER attack leveraged on the fact that CSS is stored remotely, so an attacker can change the content of an email through remotely changes to the desired ‘CSS ‘ used for the content of the email that is presented to the user.


The Ropemaker attack could be exploited in various ways, for instance, attackers could replace an URL that points to a legitimate website by a malicious one that redirects the user to a compromised site or to a phishing website.

Another attack scenario was dubbed by Mimecast “Matrix Exploit,” it sees attackers writing a matrix of text in an email and then use the remote CSS to selectively control what is displayed. With this trick, the attacker can display any text in the content of the email, including malicious URLs.

This form of ROPEMAKER attack is very harder to detect because the email received by the victim does not display any URL.

“Since the URL is rendered post-delivery, an email gateway solution such as Mimecast cannot find, rewrite, or inspect the destination site on-click, because at the time of delivery there would be no URL to detect,” reads the report on the ROPEMAKER attack. “To do so would require the interpretation of CSS files, which is beyond the scope of current email security systems.”

Experts don’t exclude the attack is “being used somewhere outside the view of Mimecast.”
The Mimecast experts explained that web-based email clients like Gmail, iCloud and Outlook aren’t affected by Ropemaker-style CSS exploits, while email clients like the desktop and mobile version of Apple Mail, Microsoft Outlook, and Mozilla Thunderbird are all vulnerable to the Ropemaker attack.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – ROPEMAKER attack, hacking)

[adrotate banner=”13″]

you might also like

leave a comment