Hello and welcome to the Thursday, June 5th, 2025 edition of the Sands in the Net Storm Centers, Stormcast.

My name is Johannes Ulrich, and this episode brought you by the Sands.edu graduate certificate program in cyber defense operations is recorded in Jacksonville, Florida.

Today we have a diary from Jan about an interesting fishing trick that Jan ran across.

This fishing trick basically hides the malicious link from Outlook users.

So at first, the email looks like, well, any other fishingishing email, it tries to impersonate a bank, but when Jan hovered over the link in Outlook, well, the link actually was a normal link for this particular bank.

So what's the point here?

Well, essentially what the attacker is likely trying to do here is

not trigger the fishing attack for Outlook users. Because Outlook users are often corporate users.

Most home users may be more susceptible to fishing, use webmail browser systems.

And corporate users, of course, have more security around their browsing experience,

which of course could trigger an alert and then could lead to the fishing site being discovered.

So what they're actually doing here is use this little trick here with HTML comments.

This is a specific feature in Outlook that if MSO,

and you often see some sort of product-specific features implemented like this,

where essentially you can

display different content to Outlook users versus other users. And that's really what's happening

here. And that's how the non-Outlook user is seeing the malicious link, while Outlook users

are seeing the benign link.

Interesting little trick, and like I said, it's not necessarily meant to protect Outlook users.

It's more to hide the malicious link from users that are more likely part of a more managed IT environment.

Then we got an update from Amazon regarding the default mode for AWS logging via CloudWatch

logs and others.

...