Recently CyberClan became aware of a new zero-day, zero-click exploit for iOS devices, this time hidden within the built-in mail app. A zero-click attack means that the end-user does not have to click on the email for it to be effective. This exploit is found in all versions of iOS and Apple does not currently have a publicly available patch for it.
The exploit allows for remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory. This vulnerability does not necessarily require a large email – a regular email that is able to consume enough RAM would be sufficient. There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods.
On iOS 13, this attack can be executed unassisted and just requires the mail application to be running in the background of the device. On iOS version 12 and earlier the attack requires the user to open the email first before it would be able to execute. Even though the vulnerability has only just come to light, the earliest observed attacks were discovered over 2 years ago, around January of 2018. It’s therefore likely that various groups, including nation-state actors, have already added this tool to their toolkit.
The best way to prevent the attack at this time would be to remove the native mail application from all devices, and use alternative methods for emails such as the Outlook or Gmail apps for example. It’s also worth contacting your email spam/protection/WAF vendors to ask them if they are able to detect and protect devices from this attack vector. We work closely with leading Microsoft 365 vendors who are able to detect and prevent these attacks from affecting end users devices by evaluating the exploit code before it hits your mailbox.
For more information about this vulnerability and what you can do, please contact us and we can work with you to address your concerns