Super-phishing: masterly fraudulent e-mail security in e-mail programs

So far, most users have been convinced that the e-mail message sent is unchanged - the recipient will receive the same content as was sent by the recipient. Today, everybody should take a correction for secure communication protocols, because even standards such as SMIME and PGP are not able to protect messages from replacements presented by employees of the Mimecast company.

The developed method of ROPEMAKER (the acronym of Remotely Originated Post-delivery Email Attachment) can change the content of the message, e.g. link hyperlink:


Sent message with the URL: avlab.pl/dobry

Received message with the address avlab.pl/zly

ROPEMAKER gives you the opportunity to manipulate not only links. It is possible to change the entire content of the text:


On the left, seemingly empty message before sending. Message received on the right.

The blank message on the left actually looks like this. The source display reveals HTML, CSS and ASCII characters.

How is this possible? By manipulating what you see in the layer you can not see. Specifically, thanks to loading remote HTML and CSS content:


Surely everyone knows it - e-mail programs ask whether to allow remote content to be loaded.

How to use ROPEMAKER in an attack?

In this method, you do not need direct access to the mailbox, nor did you use the MiTM attack (although in the MiTM attack you can use ROPEMAKER). Successful modification of e-mail content is possible due to the loading of remote CSS code - visually more attractive mail containing dynamic content and hyperlinks increases the risk of a successful phishing attack. However, in this case, phishing is an undervaluing term for deceiving an employee or user, because despite the electronic signature or encrypting the message by the PGP protocol, the recipient receives adulterated content.

The presented fraud method gives the criminals a Gatling rifle, while previously they had only one-shot pistols.

ROPEMAKER can be used in the same phishing or spear-phishing attacks that we have known so far, adding the presented method of manipulating e-mail content. As a result, we get an explosive mix of social engineering. The worst part is that ROPEMARKER is not an exploit, it is not a vulnerability or a security bug. It's just masterful cheating, or actually the proper use of email clients' functions, which warn the user against loading remote content.

ROPEMARKER has been tested on clients: Outlook, Thunderbird and Apple Mail. Its use only limits the creativity of cybercriminals. Although Mimecast has not recorded this method in real attacks (and it has tens of thousands of business clients under its own, who receive billions of e-mails), just like the EternalBlue exploits from the NSA - we may soon witness the observation of ROPEMARKER in phishing attacks on a similar scale as WannaCry ransomware . What's more, the researchers suggest that attackers to display remote content can experiment with scalable vector graphics (SVG) and with tags, as well as



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.