A new Email exploit has been discovered by security researchers at mimecast using which a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want.
Dubbed Ropemaker (stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky) , it abuses Cascading Style Sheets (CSS) and Hypertext Markup Language (HTML).
This remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users.
Since CSS is stored remotely, researchers say an attacker can change the content of an email through remotely initiated changes made to the desired ‘style’ of the email that is then retrieved remotely and presented to the user, without the recipient knowing about it.
While some systems are designed to detect the URL switch preventing users from opening up the malicious link, other users could be left at a security risk.
In a Matrix Exploit attack, attackers would write a matrix of text in an email and then use the remote CSS to selectively control what is displayed, allowing the attacker to display whatever they want—including adding malicious URLs into the body of the email.
This attack is harder to defend against because the initial email received by the user does not display any URL, most software systems will not flag the message as malicious.
However, email clients like the desktop and mobile version of Apple Mail, Microsoft Outlook, and Mozilla Thunderbird are all vulnerable to the Ropemaker attack.