Security Affairs
U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Ropemaker attack allows to transform email in malicious ones after it’s received

The Ropemaker attack allows hackers to turn an apparently harmless email into a malicious one after it has already been delivered to the victim’s inbox? What about a technique that could allow an attacker to turn an apparently harmless email into a malicious one after it has already been delivered to the victim’s email inbox? […]

Ropemaker attack allows to transform email in malicious ones after it’s received

The Ropemaker attack allows hackers to turn an apparently harmless email into a malicious one after it has already been delivered to the victim’s inbox?

What about a technique that could allow an attacker to turn an apparently harmless email into a malicious one after it has already been delivered to the victim’s email inbox?
The technique exists and was dubbed Ropemaker (Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky), by Francisco Ribeiro, a security researcher at Mimecast that discovered it.
The attacker uses the Ropemaker attack to remotely modify the content of an email he sent after the email has already been delivered to the recipient. The attacker, for example, can change an embedded URL bypassing spam and security filters.
The Ropemaker attack abuses Cascading Style Sheets (CSS) and Hypertext Markup Language (HTML) that are fundamental parts of the way information is presented on the Internet.

“So what is ROPEMAKER?

The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML.  While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email. ” explained Mimecast’s Senior Product Marketing Manager Matthew Gardiner.

The ROPEMAKER attack leveraged on the fact that CSS is stored remotely, so an attacker can change the content of an email through remotely changes to the desired ‘CSS ‘ used for the content of the email that is presented to the user.

ROPEMAKER attack

The Ropemaker attack could be exploited in various ways, for instance, attackers could replace an URL that points to a legitimate website by a malicious one that redirects the user to a compromised site or to a phishing website.

Another attack scenario was dubbed by Mimecast “Matrix Exploit,” it sees attackers writing a matrix of text in an email and then use the remote CSS to selectively control what is displayed. With this trick, the attacker can display any text in the content of the email, including malicious URLs.

This form of ROPEMAKER attack is very harder to detect because the email received by the victim does not display any URL.

“Since the URL is rendered post-delivery, an email gateway solution such as Mimecast cannot find, rewrite, or inspect the destination site on-click, because at the time of delivery there would be no URL to detect,” reads the report on the ROPEMAKER attack. “To do so would require the interpretation of CSS files, which is beyond the scope of current email security systems.”

Experts don’t exclude the attack is “being used somewhere outside the view of Mimecast.”
The Mimecast experts explained that web-based email clients like Gmail, iCloud and Outlook aren’t affected by Ropemaker-style CSS exploits, while email clients like the desktop and mobile version of Apple Mail, Microsoft Outlook, and Mozilla Thunderbird are all vulnerable to the Ropemaker attack.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – ROPEMAKER attack, hacking)

[adrotate banner=”13″]