SANS Stormcast Monday, November 24th, 2025: CSS Padding in Phishing; Oracle Identity Manager Scans Update;
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 24 November 2025
⏱️ 5 minutes
🧾️ Download transcript
Summary
Use of CSS stuffing as an obfuscation technique?
Phishing sites stuff their HTML with benign CSS code. This is likely supposed to throw of simple detection engines
https://isc.sans.edu/diary/Use%20of%20CSS%20stuffing%20as%20an%20obfuscation%20technique%3F/32510
Critical Oracle Identity Manager Flaw Possibly Exploited as Zero-Day
Early exploit attempts for the vulnerability were part of Searchlight Cyber s research effort
https://www.securityweek.com/critical-oracle-identity-manager-flaw-possibly-exploited-as-zero-day/
ClamAV Cleaning Signature Database
ClamAV will significantly clean up its signature database
https://blog.clamav.net/2025/11/clamav-signature-retirement-announcement.html
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Monday, November 24, 2025 edition of the Sands Internet Storm Center's Stormcast. |
| 0:12.5 | My name is Johannes Ulrich, recording today from Jacksonville, Florida. |
| 0:17.4 | And this episode is brought you by the sands.edu undergraduate certificate program in cybersecurity fundamentals. |
| 0:25.7 | Jan came across an interesting new technique, how attackers are possibly attempting to better obfuscate their fishing pages. |
| 0:33.6 | This started with a standard email fish, nothing really all too exciting here. |
| 0:38.3 | Now, one of the goals often of attackers is to make the email or the web page look different to the user than it looks to an automated system. |
| 0:47.9 | And that's how we sometimes have cascading style sheets being used to, for example, mark certain text as invisible. But then, of course, |
| 0:56.2 | a simple detection engine may not necessarily notice this. Here, the cascading style sheets are used |
| 1:01.7 | a little bit different. What Jan suggests is that in this case, the attacker just added cascading |
| 1:09.8 | style sheets to make the page larger and with that |
| 1:14.1 | less likely going to be detected as malicious. The reason behind this is twofold. First of all, |
| 1:20.7 | some detection engines do have an upper limit as to how much text or so they're actually going to scan. So just by adding a lot |
| 1:30.4 | of text and here I think we're dealing with about half a megabyte. They may attempt to sort of |
| 1:35.3 | exceed that boundary. The other thing is that the cascading style sheet being added to the |
| 1:41.1 | HTML page here is actually, well, just a fairly common bootstrap cascading |
| 1:46.7 | style sheet. It's copy-paces, not included as it's usually being done. So it's not necessarily |
| 1:53.7 | something where an attacker just added it because they may need a feature. And apparently they're |
| 1:59.5 | not actually using any features from this cascading style sheet. |
| 2:03.3 | They're really just using it to pat the content. |
| 2:06.6 | And by padding it with very common benign content, of course, they may also slip past some detection engines. |
| 2:15.2 | And last week I talked about the critical critical vulnerability in Oracle Identity Manager, |
| 2:20.3 | where Searchlight Cyber had an article about this vulnerability and basically explained in |
... |
Transcript will be available on the free plan in 9 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.