Hello, welcome to the Tuesday, June 7, 2020 edition of the Sandsenut Storm Center's Stormcast.

My name is Johannes Ulrich, and the time I'm recording from San Francisco, California.

There's still no update regarding a patch for the MS-MSDT vulnerability, aka Fallina.

Various organizations have spotted exploit documents as a follow-up to yesterday's

diary where Diddy explained how to analyze an MSMSDT exploit sample.

Didier today went into more detail on how to use his OLLI Dump tool and the

CLSID plugin to analyze these types of documents. Using these tools and a new, as he calls it,

work in progress module, DDA created to extract data from all these streams.

Using these tools, it is relatively straightforward to extract any URLs.

And of course, that's how you then get with these documents to the actual malicious part

that's downloaded as part of this template.

So with no patch available, more and more exploits being cited in the wild.

I hope you'll find these tools useful if you run into a suspect document to possibly

figure out what they're trying to accomplish.

And cloud security company CloudSec has a nice write-up on a newer fishing campaign

that heavily relies on URL shortners and EURS proxy services.

This is sort of a trend that has really been ramping up this last year. I have seen a

couple of examples too. And the tricky part here is that the attacker basically will use a

URL shortener to point you to some service like NCRC or one of these sort of developer-centric

proxy services and then point that

proxy to the actual fishing site. The disadvantage for the defender year, of course, is that,

first of all, now your indicators of compromise change all the times, usually sort of with a 24-hour rhythm, these URLs change.

...