Email Inbox
Researchers discovered a new email threat called Ropemaker can insert malicious URLs after the email is received. 27707/Pixabay

A new type of attack targeting email inboxes could allow an attacker to turn a seemingly benign message into a malicious one after it has already reached a victim’s inbox, security researchers warned.

The attack, dubbed Ropemaker by the researchers at email and cloud security firm Mimecast, enables a threat actor to remotely change the content of an email after it has already been delivered to a user, presenting new challenges for users targeted by malicious attacks.

Improbably, Rope Keeper is an acronym that stands for for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky. Absurd as the full name may sound, the threat presented by the new style of attack is no joke.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

Ropemaker makes use of two technologies that are fundamental parts of the way information is presented online: Cascading Style Sheets (CSS) and Hypertext Markup Language (HTML). CSS is a language used to describe how a document written in a markup like HTML is intended to appear.

CSS also allows for the separation of how something is presented and the content that makes up that presentation—a partition that Ropemaker takes advantage of to manipulate what a user sees and interacts with when they open an email.

According to Mimecast, because CSS is stored remotely, an attacker can change aspects of a document’s layout without the recipient knowing about it. Because many email clients support CSS, it is possible for a threat actor to change the content of an email through remotely initiated changes made to the style sheet that is then retrieved and presented to the user.

The researchers at Mimecast presented two potential types of exploits that could utilize the CSS-based vulnerability and put users at risk when interacting with emails they believed to be safe or trustworthy.

The first is a “switch” attack, in which the threat actor changes an element of the email from trusted content to something more malicious. For example, the attacker could switch out a URL that originally directed the user to a legitimate website in favor of one that sends the user to a compromised site designed to harvest user credentials or steal other important information.

While some systems could catch the URL switch by preventing a user from leaving the page and opening up the malicious link, users who are unprotected or use systems that do not scan the URL could be left at risk.

The second style of attack is referred to as a Matrix Exploit, and is much harder to detect and therefore defend against. In a Matrix Exploit attack, a threat actor would write a wall of text in an email and control what is displayed using CSS. Each individual character can be controlled and modified remotely, allowing the attacker to change the presentation of the message on a whim—including adding malicious URLs into the body of the email.

Because the initial email received by the user doesn’t display a URL, most software systems won’t flag the message. Once the CSS is modified and the URL is triggered to display after delivery of the message has already been completed, most systems will be unable to detect the attack.

Mimecast warned Ropemaker could be used by threat actors to bypass most common security tools and fool even the most sophisticated users into interacting with a malicious URL. “Ropemaker could be leveraged in ways that are limited only by the creativity of the threat actors, which, experience tells us, is often unlimited,” the researchers wrote.

Ropemaker has yet to be spotted in the wild, according to Mimecast—though that doesn’t mean such an attack can’t happen in the future or aren’t currently happening outside the scope of Mimecast’s nets.

In order to defend against such an attack, Ropemaker encouraged users to rely on web-based email clients such as Gmail, Outlook.com and icloud.com. Those web clients aren’t affected by Ropemaker-style CSS exploits, according to Mimecast. Clients like the desktop and mobile version of Microsoft Outlook, Apple Mail and Mozilla Thunderbird are all vulnerable.

Apple Mail users can minimize their risk by opening the Mail app, going to Preferences, selecting the Viewing menu and unchecking the box next to “Load remote content in messages.” It should be noted the fix works only on desktop and does not apply to the mobile client.