Hello and welcome to the Wednesday, October 5th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from New York City, New York.

In today's diary by Jesse, we see another example of a fishing site taking advantage of

client side technologies and cloud services

to avoid having to maintain the larger footprint

necessary to run sort of more traditional,

complete dynamic website with server side code.

The alternative is, of course,

to use JavaScript on the client

and then to have various APIs to work with for you.

In the example provided by Jesse, the phishing page uses JavaScript to connect to Telegram

and then to send data to an adversary's telegram address.

The phishing page itself is hosted at Workers.Dev.

That's actually a Cloudflare service that can be used to host serverless code.

Between the use of Workers.Depfregantly used legitimate site and telegram fishing attacks

are difficult to stop as they use fairly

common and legit services so they don't really stick out in your network traffic.

And I mentioned yesterday how the rule Microsoft published initially to block exploitation of

the new exchange vulnerabilities wasn Well, it wasn't

sufficient. It had this ad simple in there that was really too specific and did allow some

working exploits. Microsoft now released an updated rule, removing the ad simple from the

original rule. The new rule will be applied automatically

...