Hello and welcome to the Friday, November 22nd,

2024 edition of the Sansanet Storms and Stormcast.

My name is Johannes Ulrich and then I'm recording from Singapore.

Did he look at some fishing emails that made the news recently?

These fishing attachments are actually using the

little bit unusual SVG file format.

SVG is a vector-based image format.

It's often used on web pages, for example, on the United Storm Center, we have these little icons on the left

that are encoded as SVG. The advantage of SVG is that because it's a vector format, it

scales nicely, it can also easily be embedded in a web page so you don't need to load additional files.

But attackers apparently are using these images in order to bypass detection rules.

In addition, SVG may embed JavaScript and that's being abused here in order to pull in the company's logo from

a web service that offers company logos based on their domain name. So if an attack is

targeting a particular individual, then the domain name of the email address, is being used to display that company's

logo, which of course makes the attack more plausible.

Has seen similar things in the past on other phishing emails without SVG, but yes, the main

point here of SBG is to bypass detection rules, not really to launch

any fundamentally different attack.

And in today's weaknesses in Enterprise Security Tools, we have a little bit of a minor

issue in the 40 client VPN.

The issue here is logging. If NetHacker launches a

prudeforce attack with 40 client, the failed login attempts are usually logged and

...