SANS Stormcast Friday, May 15th, 2026: Website Fraud; Outlook Link Preview Bug; NGINX Vuln; Cisco 0-Day - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Episode: Friday, May 15th, 2026
Host: Johannes B. Ullrich
Main Theme:
A concise daily rundown of current cybersecurity threats and research, focusing on practical fraud detection tips, vulnerabilities in NGINX, a new Outlook email bug, and a serious Cisco SD-WAN 0-day.

Episode Overview

In this episode, Johannes Ullrich covers:

How to spot fraudulent websites using hands-on research methods
A newly reported bug in Outlook’s link preview inside the junk folder
Four fresh vulnerabilities in NGINX, including a dangerous code execution flaw
Details of a critical authentication bypass vulnerability in Cisco’s SD-WAN controller, which is already being actively exploited

Key Discussion Points & Insights

1. Investigating Website Fraud

[00:27 – 02:04]

Case Study by Joshua Nicholson:
Internship research focused on shady e-commerce sites, characterized by:
- Suspiciously cheap consumer goods
- Questionable site design and copy
- Product images lifted from eBay and similar sites
Sanity Checks for Fraud Detection:
Guidelines include:
- Scrutinizing the site’s aesthetics and structure
- Reverse image searching product photos
- Looking for inconsistencies in vendor information
Empirical Testing:
- Joshua acquired a $5-limit credit card to safely test purchases.
- Result: The card was charged multiple times for random amounts by various vendors unconnected to the “purchased” item—clear signs of a scam.
Practical Advice:

"Going all the way and actually trying to order something using some credit card number—that's probably too much for most people. But even the other hints are quite good in order to sort of do a quick triage on any deal that may look a little bit too good."
— Johannes B. Ullrich [01:53]

2. Outlook Link Preview Vulnerability in Junk Folder

[02:05 – 03:10]

Discovery by Jan:
- Outlook usually strips formatting in the junk folder to clarify what links are hidden.
- Bug: Some message links aren't displayed at all if they're missing the scheme (the “http://” or “https://”)—only showing the hostname and the rest of the path.
Implication:
- While links with a missing protocol still function (defaulting to HTTPS when clicked), their absence from preview makes phishing analysis harder.
- Potentially helps attackers disguise malicious links within spam/junk emails.
Why It Matters:

"Users are getting used to looking at the junk folder to figure out what a particular message may be attempting to accomplish…without the URL being displayed correctly, this of course is just getting more difficult."
— Johannes B. Ullrich [03:02]

3. NGINX Vulnerabilities Released by Depth First

[03:11 – 04:08]

Four New Vulnerabilities:
- Disclosed by security researchers at Depth First to F5, leading to rapid patch releases.
Highlighted Flaw:
- Heap-based buffer overflow in the mod_rewrite module, allowing arbitrary code execution.
Exploitation Details:
- Proof-of-Concept exploit only works if Address Space Layout Randomization (ASLR) is not enabled (which is uncommon; most distributions have ASLR on).
- Researchers believe the flaw can be exploited even with ASLR enabled, given persistent attempts.
- Patches are already rolling out to major Linux distributions.
Recommendation:

"This is definitely sort of one of those patches that you want to get a handle on, probably before the weekend if possible. But I know it's not always that easy to update your web server…"
— Johannes B. Ullrich [04:00]

4. Cisco SD-WAN Controller 0-Day (Authentication Bypass)

[04:09 – 04:48]

Critical Vulnerability:
- Cisco patched an authentication bypass flaw in the Catalyst SD-WAN controller.
- Severity: CVSS score of 10.0 (maximum).
- Status: Already being exploited in the wild.
Immediate Action Required:
- Cisco’s advisory provides guidance and mitigation steps.
- No workaround: Only patching will protect affected systems.
Urgency Stressed:

"It's already exploited in the wild. So definitely take a look at the advisory published by Cisco. They also have some guidance here as to what to do if you believe that you're compromised. And no workaround here other than applying the patch."
— Johannes B. Ullrich [04:40]

Notable Quotes & Memorable Moments

“Real good work and I think that's useful, kind of sort of to have some quick sanity checks on a website, figure out if it may be legitimate or not.”
— Johannes B. Ullrich [01:45]
"Proof of concept doesn't quite work with common Linux distributions, but, well, only some changes are likely required to make it work with common Linux distributions."
— Johannes B. Ullrich [03:58]

Important Timestamps

00:27 — Inspecting suspicious e-commerce websites (Joshua Nicholson's research)
01:53 — Discussing the practicality of deep fraud investigation
02:05 — Outlook junk folder link preview bug explained
03:11 — Overview of NGINX vulnerabilities and potential risks
04:09 — Cisco SD-WAN 0-day highlighted; urgent patching recommended

Tone and Delivery

Ullrich's delivery remains practical, direct, and slightly conversational, with a balance between technical urgency ("patch before the weekend") and measured advice ("quick triage on any deal that may look a little bit too good").

Summary

For cybersecurity professionals and IT decision makers, this episode delivers actionable threat intelligence and patch guidance for critical infrastructure, as well as pragmatic strategies for fraud detection and email threat analysis. The clear focus: patch NGINX and Cisco products promptly, be critical about online deals, and beware of UI quirks in your security workflows.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Friday, May 15, 2026 edition of the SANS in the Net Stormsnares Stormcast. My name is Johannes Ulrich, recording today from San Diego, California and this episode is brought to you by the SANS Edu Crad certificate program in penetration testing and ethical hacking. Well, today we have actually two diaries to talk about. The first one comes again from one of our undergraduate interns. Joshua Nicholson is writing about how to essentially inspect a website to see if it may be fraudulent. These are often these fairly cheap consumer goods websites that offer various items at a really good price, but, well, don't really look quite legit in part because of the design and the way the sites are created. So it's always a little bit difficult to figure out if they actually offer a valid product or if they're really just interested in scamming you. Well, in this particular case, Joshua offers a couple of hints that point to scam sites like for example, where product images were stolen from ebay listings and the like. And also then sort of as the ultimate proof, Joshua actually went ahead and got a specific credit card number with very small limit of $5 and placed an order. And in some of these cases and some of these websites, well, the card was immediately charged multiple times from multiple vendors for various amounts that were not necessarily related and anything close to the cost of the item advertised on the site. So real good work and I think that's useful, kind of sort of to have some quick sanity checks on a website, figure out if it may be legitimate or not. Now going all the way and actually trying to order something using some credit card number that's probably too much for most people. But even the other hints are quite good in order to sort of do a quick triage on any deal that may look a little bit too good. And Jan came across an interesting bug or dare I say vulnerability in Outlook. Outlook, if you are placing a message in the junk folder, has the nice property of actually removing some of the formatting from the message, making it a little easier to see what, for example, links are hiding. Now, Jan did just that. He had a spam message in the junk folder, but apparently the links were not displaying at all. Basically the URL that the link linked to. The issue here apparently was that these links were missing the scheme or protocol. So the HTTP prefix, it just started with the hostname, follow by the remainder of the URL. While these type of links are still working, basically HTTPs is then used as a default protocol in this case when you click on the link. This does make it technically an invalid URL and it looks like Outlook in the junk folder will not display these URLs because they don't match the pattern that Outlook is expecting for the URLs. This could be a problem because users are getting used to looking at the junk folder to figure out what a particular message may be attempting to accomplish, whether it is a real message or spam or phishing S in this case, and without the URL being displayed correctly. This of course is just getting more difficult and researchers from AI code security company Depth first have released a blog post with details regarding four vulnerabilities in Nginx. These vulnerabilities were disclosed to F5 and today in in sync with the release of the blog post, F5 also released patches for Nginx. I already have seen some of these patches also hit major Linux distributions. There are four different vulnerabilities that Depth first has uncovered. One of them particular sticks out and deserves some attention. It's a heap based buffer overflow in the mod rewrite module, and this vulnerability can lead to arbitrary code execution. The one caveat here is that the proof of concept being released so far only works if aslr, the address space layout randomization is not enabled. Usually for Linux distributions this is enabled, so you have a little bit extra time left here until attackers are finding the actual exploit that also supports systems with aslr. And Depth first stated that they believe this flaw is exploitable with ASLR enabled. It may however require a good number of requests to make the exploit work. So Proof of Concept is released. Proof of concept doesn't quite work with common Linux distributions, but well, only some changes are likely required to make it work with common Linux distributions. This is definitely sort of one of those patches that you want to get a handle on, probably before the weekend if possible. But I know it's not always that easy to update your web server, but again, major Linux distributions have patches available if you're not running NGINX and you have some extra time this Friday there is also a new critical vulnerability that was patched by Cisco in the Catalyst SD WAN controller. It's an authentication bypass vulnerability that got the distinction of a perfect 10.0 CVSS score. And yes, it's already exploited in the wild. So definitely take a look at the advisory published by Cisco. They also have some guidance here as to what to do if you believe that you're compromised. And no workaround here other than applying the patch. Well, this is it for today, so thanks again for listening. Thanks for liking. Thanks for sharing this podcast with your friends. And there will be no podcast on Monday due to my travel schedule. So talk to you again on Tuesday. Bye.