ROPEMAKER: Exploit CSS to weaponize email, post-delivery!


What if I told you that your email is not immutable once delivered? What if I told you that non-repudiation of email is a thing of the past? What if I told you that the same applies if you are, quite sensibly, using SMIME or PGP for signing purposes? What if I told you your email could be weaponized post-delivery? Mimecast told us all of that, and more. Courtesy of the ROPEMAKER exploit, email could quite literally never be the same again.

ROPEMAKER, or Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky to give it the full, and somewhat cheesy, label was disclosed publicly by Mimecast last month. The implications could be huge, if it ever gets seen in the wild. Luckily, as I write, Mimecast indicates that isn’t the case yet. So why is ROPEMAKER such a potential game changer and how does it work?

What if I told you your email could be weaponized post-delivery?

Imagine that you receive a completely benign HTML formatted email. Your security checks ignore it as it’s completely benign; no links to anything dodgy, no nasty attachments, just harmless Cascading Style Sheets (CSS) code. Except the CSS code isn’t harmless, and the email can become weaponized remotely with no direct access to your inbox required. Weaponized how, you say? Well a benign URL within the email could be swapped out for a malicious one for a start. Or plain text in the message body morphed into a malicious URL instead. Or the content of the email edited at the whim of the attacker. ROPEMAKER, quite simply, brings the ability for a threat actor to remotely change the content of email after it has been delivered.

So how does ROPEMAKER achieve this then? Surprisingly simply, is the answer. As mentioned, it comes back to that CSS markup code used to visually enhance HTML format emails. Much loved for introducing a certain dynamism into the email medium, threat actors are able to turn CSS into a fully exploitable email-based attack vector.

CSS separates presentation from content, and if the email client supports it (and most do) the CSS file can be accessed remotely across the Internet from a threat actors’ server rather than locally within the markup language file. That’s the important part, it’s a pretty obvious security issue when CSS can control both email style and content from a remote and untrusted zone. All it takes is for the mail client to support the automatic connection to remote CSS in order to apply the correct style to the message.

turns CSS into a fully exploitable email-based attack vector

At the simplest level, the Mimecast security advisory details a ‘switch’ attack that actually sends both a safe and a malicious URL in the email text. The remote CSS call then determines which should be displayed, switching the good to the bad. This might catch some folk out, but decent security measures in the enterprise should be able to rewrite and inspect URLs on-click as it were. As Mimecast states “both the good and bad URL would be inspected before being resolved on-click.”

Potentially more successful attacks could still be carried out using ROPEMAKER. Attacks such as the Matrix Exploit which involves an ASCII text matrix in the delivered email, with the remote CSS determining on a character-by-character basis what gets displayed. A totally blank message body could become a phishing attempt at the click of a remote control. Again though, that malicious link still has to become clickable at some point. The difference being that it is rendered post-delivery and so will escape rewriting or inspection by the mail security gateway resource. I’m not aware of any gateway product that can interpret CSS files to be honest, so the threat is real world enough.

Mimecast disclosed the exploit techniques to both Apple and Microsoft (and others) in late 2016. However, it admits that “there has not been a general acceptance of ROPEMAKER as a vulnerability or a form of potential application exploit by any impacted client application owner” as of now. Hence going public with the advisory.

Brian Robison, senior director of security technology at AI-based vendor Cylance, told IT Security Thing that “this advisory simply highlights the fact that if you receive an email with a URL embedded into that HTML email, an attacker COULD change the actual destination of that URL to be something not intended. Modern email applications render HTML as if it were a webpage using CSS to make the email “look” nice.

“This is currently standard practice within every legitimate marketing organisation in the world. Phishing emails have been taking advantage of this for some time, including linking to the original source to make it look more legit. Example: You get an email from your bank; the email pulls the headers and logos directly from the bank’s website; then the button is actually linked to different site entirely – like badbank dot com, or something where you are tricked into clicking on that link that and exposing your credentials on the “fake” banking site.

“Having pre-execution anti-malware technology in place on endpoints would prevent any malware that was downloaded as part of the phishing attack from executing and doing any damage.”