Post-delivery modification: another nail in email’s coffin

The security firm Mimecast has discovered a new email security flaw that is truly terrifying. The threat – named ROPEMAKER – is not thought to have been used by cybercriminals to date. Yet its discovery alone means that any email you receive could harm your computer and files – even if the sender had no malicious intentions. As Mimecast explains:

“Most people live under the assumption that email is immutable once delivered, like a physical letter.  A new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing.  Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.

Described in more detail in a recently published security advisory, Mimecast has been able to add a defense against this exploit for our customers and also provide security recommendations that can be considered by non-customers to safeguard their email from this email exploit.

So what is ROPEMAKER?

The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML.  While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.

Clearly, giving attackers remote control over any aspect of ones’ applications or infrastructure is a bad thing.  As is described in more depth in the ROPEMAKER Security Advisory, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users.  ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.

As time goes on, it becomes clearer that email is not the communication tool of the future. It can be exploited by those who seek to compromise your data in too many clever ways. What is needed to maintain a secure network of communication in the coming years is a tool that provides end-to-end encryption within an environment closed off to third-party actors.

This is exactly what we offer at Evizone. With our Evizone Secure Communications (ESC) product, you can be sure that all communications are sent and received as they are intended.

Contact us to test the strongest commercially available system for the secure exchange of messages, documents and files today.