Hello and welcome to the Monday, June 26, 2020, 3 edition of the Sandsenet Storm Center's Stormcast. My name is Johannes Ulrich and I'm recording from Stockholm, Germany.

Well, let's start with diaries. We actually had a number of good ones this weekend. First, a quick one by Guy.

Guy found two different modiloder attachments with, well,

a very different email ruses, actually. One was an email failure message, one of those Office

365 failure messages that are often being used to then trick users into opening attachments.

The second one, the message actually came from a magazine in Slovakia, sort of a lifestyle travel

magazine. That email was all in Arabic, interestingly enough. So very different lures here. The attachment in both

cases was a zip file that then turned out to be a modi loader, which of course is one of those

generic loaders that can load pretty much whatever malware you like. And Brad has written up a couple of incidents like this before.

More details, including screenshots of the emails, can be found in the diary.

And talk about malicious emails, Xavier found an interesting trick that has been used before,

but hasn't we been seen lately to attach malicious content to an office document?

No, it's not a macro this time.

It's a template.

And the interesting thing with templates is that they don't actually have to be included with a document,

but a document may reach out to a URL and then pull them in,

which of course makes it more difficult to detect these documents as they're going through

your email chain. The document will then be downloaded directly by Word as you're opening the document,

sort of at the time the user actually opens it.

In this case, the template was no longer available, so sadly, Xavi couldn't quite figure out

what this template then would have done to the user.

Also interesting that the template itself was

...