Mimecast has warned of yet another email security threat, dubbed ROPEMAKER by the firm’s research team.
Using this latest exploit, Mimecast claims that a malicious actor can change the displayed content in an email at will.
Matthew Gardiner, senior product marketing manager at Mimecast said in a blog post that, “Hackers could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.”
He added, “Most people live under the assumption that email is immutable once delivered, like a physical letter. This new email exploit turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing.”
Gardiner goes on to explain that the origin of ROPEMAKER lies at the intersection of email and web technologies – specifically Cascading Style Sheets (CSS) used with HTML.
To date, Mimecast has not seen ROPEMAKER exploited in the wild. “We have, however, shown it to work on most popular email clients and online email services,” said Gardiner. “Given that Mimecast currently serves more than 27,000 organisations and relays billions of emails monthly, if these types of exploits were being widely used it is very likely that Mimecast would see them. However, this is no guarantee that cybercriminals aren’t currently taking advantage of ROPEMAKER in very targeted attacks.”
Described in more detail in a recently published security advisory, Mimecast has been able to add a defence against this exploit for our customers and also provide security recommendations that can be considered non-customers to safeguard their email from this email exploit.