Hello, welcome to the Tuesday, October 13th, 2020 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Yesterday I mentioned how the DEA went over his plug-in message summary tool that allows you to easier take apart Outlook message files.

Well, as it happens that readers of course are trying this out on different files and one

ran into an interesting, fairly complex file, at least that's sort of what it looked like, and DDA had a look to see

what's actually going on here. So what happened here was that the email that was inside the

message file actually had another message file as an attachment, and that leads to nested message

files that can be quite complex when you

sort of first look at all the list of components within the file.

Now, the day shows how to make sense of all of this data and in the end also how to quickly

extract the subjects for the affected emails,

which of course then already gives you some insight as to what exactly was contained in these

different files.

And it looks like a lot of interest is being paid to the Trickbot Botnet lately and the most recent action

was taken by Microsoft by obtaining court orders to actually disable IP addresses and trying

to disrupt the command and control servers that are responsible for trickbot.

Now, oftentimes, of course, it doesn't take that much effort, and ISPs will cooperate or domain

registrars and such, but once Botnet has sort of learned how to evade various tricks and found

essentially some form of bulletproof

hosting. Yes, it can get quite difficult and court orders and such are needed and Microsoft took

the lead because they felt also that some of their trademarks were violated by Trickbot, which

gave them some legal standing to obtain these court orders.

...