Handler on Duty: Jesse La Grew
Threat Level: green
Podcast Detail
SANS Stormcast Thursday, June 5th, 2025: Phishing Comment Trick; AWS default logging mode change; Cisco Backdoor Fixed; Infoblox Vulnerability Details Released
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9480.mp3

Phishing Comment Trick; AWS default logging mode change; Cisco Backdoor Fixed; Infoblox Vulnerability Details Released
00:00
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Phishing e-mail that hides malicious links from Outlook users
Jan found a phishing email that hides the malicious link from Outlook users. The email uses specific HTML comment clauses Outlook interprets to render or not render specific parts of the email’s HTML code. Jan suggests that the phishing email is intented to not expose users of
https://isc.sans.edu/diary/Phishing%20e-mail%20that%20hides%20malicious%20link%20from%20Outlook%20users/32010
Amazon changing default logging from blocking to non-blocking
Amazon will change the default logging mode from blocking to non-blocking. Non-blocking logging will not stop the application if logging fails, but may result in a loss of logs.
https://aws.amazon.com/blogs/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/
Cisco Removes Backdoor
Cisco fixed a Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7
Infoblox Vulnerability Details disclosed
Details regarding several vulnerabilities recently patched in Infoblox’s NetMRI have been made public. In particular an unauthenticated remote code execution issue should be considered critical.
https://rhinosecuritylabs.com/research/infoblox-multiple-cves/
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Podcast Transcript
Hello and welcome to the Thursday, June 5th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and this episode brought to you by the SANS.edu Graduate Certificate Program in Cyber Defense Operations is recorded in Jacksonville, Florida. Today we have a diary from Jan about an interesting phishing trick that Jan ran across. This phishing trick basically hides the malicious link from Outlook users. So at first the email looks like, well, any other phishing email. It tries to impersonate a bank, but when Jan hovered over the link in Outlook, well, the link actually was a normal link for this particular bank. So what's the point here? Well, essentially what the attacker is likely trying to do here is not trigger the phishing attack for Outlook users. Because Outlook users are often corporate users. Most home users and such may be more susceptible to phishing, use webmail browser systems. And the corporate users, of course, have more security around their browsing experience, which of course could trigger an alert and then could lead to the phishing site being discovered. So what they're actually doing here is use this little trick here with HTML comments. This is a specific feature in Outlook that if MSO and you often see some sort of product specific features implemented like this, where essentially you can display different content to Outlook users versus other users. And that's really what's happening here. And that's how the non-Outlook user is seeing the malicious link, while Outlook users are seeing the benign link. Interesting little trick. And like I said, it's not necessarily meant to protect Outlook users. It's more to hide the malicious link from users that are more likely part of a more managed IT environment. And then we got an update from Amazon regarding the default mode for AWS logging via CloudWatch logs and others. And you may have received an email from Amazon about this change, but it's easy to miss those emails. The main issue is that currently the default logging mode is what they call blocking mode. What this means is that the application makes sure that all logs are actually received. Now, if there is a disruption in logging, that may actually then lead to your application stopping because, well, it can no longer log. They're going to change this now to non -blocking mode, which is kind of like, you know, your good old syslog, UDP logging, where you're sending the logs, but there is no guarantee that the logs are actually being received. If you have your logging buffer and so fill up, well, the logs will just get lost. The advantage of the course is that now your application will not break. It will continue to work. Whether or not there's a change that you want or not depends on your application. If you rather have the application shut down, if logging doesn't work, or if you rather have an application running, but without logging, that change will become effective on June 25th. So starting June 25th, the default logging mode will be the non-blocking mode. Then we got a couple of Cisco updates. The one that's really noteworthy here is a backdoor they removed from a Cisco identity services engine on cloud platforms. Again, one of those static credential vulnerabilities, as Cisco calls them. Definitely make sure that you do update this one. How it affects you depends on the exact configuration. So refer to the Cisco advisory for any details. And Infoblox patched a number of vulnerabilities in its NetMRI system. We now have detailed write-ups on these vulnerabilities, including proof of concept. The one that you should probably be most worried about is an unauthenticated command injection vulnerability via the get-saml request. Very classic vulnerability if you're looking at the code where it does actually just pass the saml ID here without any proper input validation or output encoding to this Perl script that then basically does the saml authentication. This is Ruby code in Ruby. The p-open command actually would have allowed for a better method to implement this by actually passing these arguments as separate arguments to popen. But well, Infoblox choose not to take advantage of this feature. Well, and that's it for today. So thanks for listening and talk to you again tomorrow. Bye. Bye.