A new email attack scenario nicknamed ROPEMAKER allows a threat actor to change the content of emails received by targets via remote CSS files.
ROPEMAKER — which stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky — revolves around the idea that an attacker sends an email in HTML format to a victim, but instead of using inline or embedded CSS code to decorate the text, it uses a CSS file loaded from his server.
The purpose is to write and send an initially benign email, which the attacker modifies at a later date by altering the content of the CSS file hosted on his server.
The initial benign email passes local email security scanners installed on the target's network, but any changes to the email's content aren't picked up when they happen.
This is because email security systems don't re-scan emails delivered to users' inboxes, but only incoming emails at the time of their delivery.
Francisco Ribeiro, a security researcher with Mimecast and the one who discovered this theoretical attack, says he identified two methods of carrying out a ROPEMAKER attack.
The first method is named the ROPEMAKER Switch Exploit and relies on attackers switching the CSS "display" function of various elements.
For example, an attacker could send an email with two links, one good and one bad, and show only the good one. After the email's delivery, the attacker can modify the remote CSS file and enable the bad link while hiding the good one.
The second technique is called the ROPEMAKER Matrix Exploit and relies on embedding matrices of all ASCII characters for each letter inside the email.
Using CSS display rules, the attacker can turn the visibility of each letter on, one by one, and recreate the text he wants to appear in the email at any time he wishes.
Both attacks are invisible to email scanners, but the Matrix exploit produces very bulky emails, as attackers will need to embed an alpha-numeric matrix for each letter of their message, something that email security products could be configured to look for.
At the time of writing, Ribeiro says that Mimecast has not detected any attacks using the ROPEMAKER techniques, but because the exploit is currently invisible to all email security products, he doesn't rule out it being deployed in the wild.
While the attack looks scary, in reality, users have very little to fear. This is because most email clients are in the habit of stripping out header tags for emails in HTML format, including any tags calling for remote CSS files.
This practice of header stripping is why most tutorials for writing HTML emails encourage web developers to use only inline CSS and avoid embedded or remote CSS.
Mimecast, who tested ROPEMAKER against various email clients, says that browser-based email interfaces are not affected by the ROPEMAKER attack. Not surprisingly, these interfaces are known to strip header tags as a precautionary measure not to interfere with the page's normal headers.
Furthermore, as one Reddit user points out, "this attack as described would be extremely easy to filter," as sysadmins could just block the loading of remote CSS resources when requested by email clients.
All in all, ROPEMAKER is a clever attack technique but is not that useful in real-world scenarios.
More technical details about the ROPEMAKER attack are available in this report.