JRB - Fotolia
An attack using the exploit, dubbed Ropemaker, could avoid security controls and deliver a malicious email that would be acted upon by the targeted person.
Benign links could be replaced with malicious link after delivery without direct access to the targeted individual’s computer or email application.
Attackers could also use the technique to see when email messages are viewed, what email client is being used and what IP address the user is on.
The name of the attack technique is an acronym for Remotely Originated Postdelivery Email Manipulation Attacks Keeping Email Risky.
Currently, the most popular email clients that are vulnerable to Ropemaker include Microsoft Outlook for desktop and mobile devices, Apple Mail for desktop and mobile, and Mozilla Thunderbird.
Despite the Ropemaker exploit techniques being disclosed to the primary email client suppliers in late 2016 and early 2017, Mimecast said there is so far no general acceptance of Ropemaker as a vulnerability or a form of potential application exploit by any impacted email client application owner.
The attack method – discovered by Mimecast’s Francisco Ribeiro – exploits the properties of web content that is increasingly used to make emails more visually attractive and dynamic.
In particular, the attack exploits the fact that two resources that are housed remotely from each other, but are linked via a network, can interoperate and that in the web content model, remotely based and controlled resources can be fetched or referenced without the direct control of the local user.
This functionality, typical of most websites, is often enabled using remote cascading style sheets (CSS), which enable the separation of presentation and content.
Importantly, if supported by the presenting application such as the many email clients, a CSS file can be used locally with the markup language file or accessed remotely across the network.
Control email displays
The key point is that instead of controlling just the style of the email, the remote CSS can actually control what the email displays, bypassing most email security technologies.
This means that an attacker could send an HTML-based email to an intended victim using a remote CSS that the attacker hosts. Mimecast calls this approach a “switch exploit”.
As long as the email client automatically connects to the remote CSS to retrieve the desired “style” for the email, the attacker could change the content just by changing the CSS, says Mimecast.
This means that the attacker could not only add malicious links to the email post-delivery, but also at a later date tamper with emails used as a business record by altering financial figures.
Although email security products that inspect links before being resolved will protect against bad links, Mimecast warns that content changes could still cause confusion and potentially business disruption.
The integrity and thus the non-repudiation of emails is affected because an email cannot serve as a reliable business record if it can be “changed” at any time.
Mimecast further warns that a “matrix exploit” that uses a comprehensive matrix of ASCII text, which is then manipulated using a remote CSS, is even more difficult to defend against than the “switch exploit”.
In the “matrix exploit”, the email itself is just a blob of text with no URLs or other specific content yet apparent until post-delivery, although the relatively large number of HTML tags and the size of the message body could serve as a tip-off.
However, once the remote CSS file is changed to selectively display text and a URL, either the email client will present a clickable link or, in the absence of a clickable link, will at least present text that resembles a URL and thus can easily be copied and pasted by an unsuspecting user.
Because the URL is rendered post-delivery, email gateway controls cannot find, rewrite or inspect the destination site on-click, because at the time of delivery, there would be no URL to detect.
To do so would require the interpretation of CSS files, which is beyond the scope of current email security systems, and therefore requires producers of email client software to do more to protect the user instead of automatically loading resources, even if they are stored remotely or relying on users to adjust email client security configurations, according to Mimecast.
By default, email clients should be configured to warn before automatically downloading external resources, the company said.
Another compensating control that could address this type of exploit would be to use a secure web gateway in proxy mode to inspect the destination site before allowing it to resolve to the user.
To protect against Ropemaker exploits, Mimecast has added a feature to its email security products that strips out references to external sources from all inbound emails.
Although Mimecast has not seen Ropemaker being used in any of the billions of emails it scans each month, the company said there is no guarantee that cyber criminals are not currently taking advantage of this technique in targeted attacks on organisations not being served by Mimecast.
Apart from the modifications made to Mimecast products, the only way organisations can protect against Ropemaker attacks is to disable the use of HTML mail and allow only plain text emails, the company said.
Another workaround is to adopt web clients such as Gmail, Outlook.com and icloud.com that are not affected by these types of exploit because they do not support the presentation of HTML emails.
Improve security awareness
Mimecast said that by sharing the details of Ropemaker publicly, it hopes to improve security awareness and encourage appropriate action to address the risks that exist with email.
“The defensive threat research community needs to continue to disclose potential new exploits such as these in a timely and responsible manner,” the company said.
In response to the public disclosure, Apple said users could choose to disable the loading of remote content by navigating to Mail > Preferences > Viewing and unchecking “Load remote content in messages”.
Mimecast said that although this is comparable to the filter provided by Mimecast’s email protection, the fact that it is provided at the client level means it is under the control of each individual user, which adds implementation risk and complexity.
Microsoft would only say that it does not characterise the Ropemaker style of exploit as a software vulnerability.
According to Mimecast, it is irrelevant how the exploit is classified, but in light of the fact that it could be a game-changer, the company has called on the IT industry to collaborate to reduce the likelihood that the Ropemaker style of exploits gains any traction with cyber criminals
WannaCry and Petya are two reasons why businesses need to do something about this potential attack route, said Mimecast.
According to the company, 91% of cyber attacks start with a malicious email and more than half of businesses have seen the volume of cyber attacks increase in 2017, including ransomware, phishing and impersonation fraud.
Despite this, less than 20% of organisations feel completely confident in their ability to spot and defend against cyber attacks, said Mimecast.