Mimecast has warned against yet another email security threat, which the vendor has dubbed as the ROPEMAKER. Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will.This could potentially be exposing hundreds of millions of desktop email client users to security risks.
What is ROPEMAKER? The ROPEMAKER acronym itself stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky. (Ropemaker Street in London “coincidently” also happens to be the street on which Mimecast has its European headquarters and where most of its threat research team is based.)
In a blog post, Matthew Gardiner, senior product marketing manager, Mimecast writes: "Most people live under the assumption that email is immutable once delivered, like a physical letter. A new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing."
Gardiner explains that the origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. "While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email."
To date, Mimecast has not seen ROPEMAKER being exploited in the wild. "We have, however, shown it to work on most popular email clients and online email services," Gardiner says.
Described in more detail in a recently published security advisory, Mimecast has been able to add a defense against this exploit and also provide security recommendations to safeguard emails from this email exploit.