ROPEMAKER allows an attacker to change email after sending

ROPEMAKER - short for Remotely Originated Post-Delivery Email Manipulation Attacks Keeping Email Risky (translated as dangerous email after being sent) - revolves around the idea that an attacker sends email in HTML format for the victim, but instead of using embedded or inline CSS, it uses the CSS file from the attacker's server.

The purpose of this is to write and send an original email, then the attacker will edit it by changing the content of the CSS file on the server.

ROPEMAKER turns email security products into 'idiots'

The original email will go through email scanning tools installed on the victim's computer but the changes in the email content will not be detected when they occur. This is because the email security system does not re-scan once it has been sent to the recipient's inbox but only the messages that are coming before the time of receipt.

Two types of ROPEMAKER attacks

Francisco Ribeiro, a Mimecast security researcher and discoverer of this type of attack, said he discovered two forms of attack.

The first way is called ROPEMAKER Switch Exploit and based on the attacker turning the 'display' function of many elements on CSS.

For example, he sends an email with 2 links, 1 clean 1 dirty and only displays clean email. After receiving the email, he will edit the CSS file remotely and turn on the dirty link, hiding the link clean.

ROPEMAKER allows an attacker to change email after sending Picture 1
Change the function displayed on the email

The second way is called ROPEMAKER Matrix Exploit based on embedding the matrix of all ASCII characters for each letter in the email.

By the CSS display rules, an attacker can let each word appear and recreate the text he wants in the email anytime.

ROPEMAKER allows an attacker to change email after sending Picture 2
Use matrix for characters in email

E-mail scanning tools can't recognize these two types of attacks, but using matrices will create lots of cumbersome email because you have to embed the text matrix - numbers for each character, email security tools can be found.

Ribeiro said that the Mimecast has not detected any attacks using ROPEMAKER technology, but because of this vulnerability, email security tools cannot be recognized, so it does not exclude the case that it has already happened.

ROPEMAKER is not too scary

Although it sounds scary, in reality users don't have to worry much. Most email clients have a habit of extracting tags above (header tags) with HTML-formatted emails, including remote CSS file calling cards.

That is why most HTML email writing guidelines encourage web developers to only use inline CSS and avoid embedded CSS or remote CSS.

Mimecast tested ROPEMAKER with many email clients and said that the browser email interface is not affected when attacked by ROPEMAKER. Not surprisingly, these interfaces pull the tag header as carefully, avoiding interference with the normal header of the page.

In addition, a Reddit user also points out that 'this type of attack is very easy to filter' because the system administrator only needs to block the CSS source from when the email client requests it.