Ropemaker attack allows to transform email in malicious ones after it’s received

The Ropemaker attack allows hackers to turn an apparently harmless email into a malicious one after it has already been delivered to the victim’s inbox?

“So what is ROPEMAKER?

The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML.  While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email. ” explained Mimecast’s Senior Product Marketing Manager Matthew Gardiner.

The ROPEMAKER attack leveraged on the fact that CSS is stored remotely, so an attacker can change the content of an email through remotely changes to the desired ‘CSS ‘ used for the content of the email that is presented to the user.

The Ropemaker attack could be exploited in various ways, for instance, attackers could replace an URL that points to a legitimate website by a malicious one that redirects the user to a compromised site or to a phishing website.

Another attack scenario was dubbed by Mimecast “Matrix Exploit,” it sees attackers writing a matrix of text in an email and then use the remote CSS to selectively control what is displayed. With this trick, the attacker can display any text in the content of the email, including malicious URLs.

This form of ROPEMAKER attack is very harder to detect because the email received by the victim does not display any URL.

“Since the URL is rendered post-delivery, an email gateway solution such as Mimecast cannot find, rewrite, or inspect the destination site on-click, because at the time of delivery there would be no URL to detect,” reads the report on the ROPEMAKER attack. “To do so would require the interpretation of CSS files, which is beyond the scope of current email security systems.”