Hello, welcome to the Friday, June 30th, 2017 edition of the Santernet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Columbia, Maryland.

Brad has an update about the Blank Slate matter campaign today.

Blank Slate has been known to use email messages that don't really

contain a body. Instead, they just typically contained a sipped JavaScript attachment that,

of course, then led to Malware, typically crypto ransomware. The subject lines were all over the place, kind of

tempting the user to open the attachment. Well, this latest run-off blank slate that Brad

observed does deviate from this pattern. It now actually has a text in the email message. The text suggests that you just

logged in to your Microsoft account and if you didn't do so, you should click on a link

to let them know that you didn't log in to your account. Interestingly, they do list an IP address as part of the email

message. That IP address is not a valid IP address. As you can see in the email that Brad

posted, the first byte, for example, of the IP address is something around 400.

Now this will of course not prevent your average user from clicking on the link,

downloading a zip file and then opening it and potentially running the JavaScript,

which then of course again leads to crypto ransomware. The domains being used are again using the dot-top generic top-level domain, and I don't

think I've ever seen a valid side that actually used the dot-top generic top-level domain.

As usual, Pratt does provide a number of indicators of compromise,

traffic captures, and all the good stuff that helps you analyze this particular attack and protect yourself.

And Microsoft released a critical patch for Azure Active Directory Connect.

Now, this tool allows you to keep your cloud and on-premise passwords,

for, for example, for Office 365 in sync, using something called password right back.

And you're vulnerable if you are enabling called password right back and you're vulnerable if you are enabling this

...