Handler on Duty: Johannes Ullrich
Threat Level: green
Jan Kopriva Diaries
- Phishing e-mail that hides malicious link from Outlook users
- Another day, another phishing campaign abusing google.com open redirects
- It's 2025... so why are obviously malicious advertising URLs still going strong?
- A Tale of Two Phishing Sites
- SSL 2.0 turns 30 this Sunday... Perhaps the time has come to let it die?
- An unusual "shy z-wasp" phishing
- Changes in SSL and TLS support in 2024
- The strange case of disappearing Russian servers
- Self-contained HTML phishing attachment using Telegram to exfiltrate stolen credentials
- Phishing links with @ sign and the need for effective security awareness building
- Script obfuscation using multiple instances of the same function
- "Reply-chain phishing" with a twist
- Support of SSL 2.0 on web servers in 2024
- Files with TXZ extension used as malspam attachments
- It appears that the number of industrial devices accessible from the internet has risen by 30 thousand over the past three years
- The xz-utils backdoor in security advisories by national CSIRTs
- Increase in the number of phishing messages pointing to IPFS and to R2 buckets
- Phishing pages hosted on archive.org
- Computer viruses are celebrating their 40th birthday (well, 54th, really)
- Interesting large and small malspam attachments from 2023
- Whose packet is it anyway: a new RFC for attribution of internet probes
- Phishing page with trivial anti-analysis features
- Are typos still relevant as an indicator of phishing?
- A new spin on the ZeroFont phishing technique
- The low, low cost of (committing) cybercrime
- From small LNK to large malicious BAT file with zero VT score
- Kazakhstan - the world's last SSLv2 superpower... and a country with potentially vulnerable last-mile internet infrastructure
- After 28 years, SSLv2 is still not gone from the internet... but we're getting there
- Ongoing Facebook phishing campaign without a sender and (almost) without links
- "Passive" analysis of a phishing attachment
- The strange case of Great honeypot of China
- Use of X-Frame-Options and CSP frame-ancestors security headers on 1 million most popular domains
- IPFS phishing and the need for correctly set HTTP security headers
- HTML phishing attachment with browser-in-the-browser technique
- SPF and DMARC use on 100k most popular domains
- Passive detection of internet-connected systems affected by vulnerabilities from the CISA KEV catalog
- SPF and DMARC use on GOV domains in different ccTLDs
- TLP 2.0 is here
- EternalBlue 5 years after WannaCry and NotPetya
- HTML phishing attachments - now with anti-analysis features
- Do you want 30 BTC? Nothing is easier (or cheaper) in this phishing campaign...
- What is the simplest malware in the world?
- MITRE ATT&CK v11 - a small update that can help (not just) with detection engineering
- How is Ukrainian internet holding up during the Russian invasion?
- Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW
- Phishing e-mail with...an advertisement?
- Do you want your Agent Tesla in the 300 MB or 8 kB package?
- PowerPoint attachments, Agent Tesla and code reuse in malware
- Phishing page hiding itself using dynamically adjusted IP-based allow list
- TLS 1.3 and SSL - the current state of affairs
- Phishing 101: why depend on one suspicious message subject when you can use many?
- There may be (many) more SPF records than we might expect
- ProxyShell - how many Exchange servers are affected and where are they?
- A sextortion e-mail from...IT support?!
- One way to fail at malspam - give recipients the wrong password for an encrypted attachment
- Phishing asking recipients not to report abuse
- Architecture, compilers and black magic, or "what else affects the ability of AVs to detect malicious files"
- All your Base are...nearly equal when it comes to AV evasion, but 64-bit executables are not
- Number of industrial control systems on the internet is lower then in 2020...but still far from zero
- Hunting phishing websites with favicon hashes
- Malspam with Lokibot vs. Outlook and RFCs
- Old TLS versions - gone, but not forgotten... well, not really "gone" either
- 50 years of malware? Not really. 50 years of computer worms? That's a different story...
- Qakbot in a response to Full Disclosure post
- Agent Tesla hidden in a historical anti-malware tool
- TriOp - tool for gathering (not just) security-related data from Shodan.io (tool drop)
- From a small BAT file to Mass Logger infostealer
- TLS 1.3 is now supported by about 1 in every 5 HTTPS servers
- Want to know what's in a folder you don't have a permission to access? Try asking your AV solution...
- A slightly optimistic tale of how patching went for CVE-2019-19781
- Heartbleed, BlueKeep and other vulnerabilities that didn't disappear just because we don't talk about them anymore
- SMBGhost - the critical vulnerability many seem to have forgotten to patch
- BazarLoader phishing lures: plan a Halloween party, get a bonus and be fired in the same afternoon
- Phishing kits as far as the eye can see
- Slightly broken overlay phishing
- A blast from the past - XXEncoded VB6.0 Trojan
- Security.txt - one small file for an admin, one giant help to a security researcher
- Definition of 'overkill' - using 130 MB executable to hide 24 kB malware
- What pages do bad bots look for?
- Couple of interesting Covid-19 related stats
- Using Shell Links as zero-touch downloaders and to initiate network connections
- VMware security advisory VMSA-2020-0015
- Broken phishing accidentally exploiting Outlook zero-day
- Frankenstein's phishing using Google Cloud Storage
- Agent Tesla delivered by the same phishing campaign for over a year
- Look at the same phishing campaign 3 months apart
- Crashing explorer.exe with(out) a click
- Desktop.ini as a post-exploitation tool
- Secure vs. cleartext protocols - couple of interesting stats
- Quick look at a couple of current online scam campaigns
- Discovering contents of folders in Windows without permissions
- Current PayPal phishing campaign or "give me all your personal information"
- Analysis of a triple-encrypted AZORult downloader
- Picks of 2019 malware - the large, the small and the one full of null bytes
- Internet banking sites and their use of TLS... and SSLv3... and SSLv2?!
- Phishing with a self-contained credentials-stealing webpage
- E-mail from Agent Tesla
- Analysis of a strangely poetic malware
- Lessons learned from playing a willing phish
- Did the recent malicious BlueKeep campaign have any positive impact when it comes to patching?
- EML attachments in O365 - a recipe for phishing
- Phishing e-mail spoofing SPF-enabled domain
