Summary4 min read

SANS Stormcast – March 2nd, 2026

Host: Johannes B. Ullrich
Main Theme: Rapid-fire coverage of late-breaking cybersecurity news, focusing on new phishing techniques, vulnerabilities, and updates critical for practitioners to know as the week begins.

Episode Overview

This episode delivers concise analyses of current security events worth watching, including:

A deep dive into a cleverly engineered fake FedEx phishing campaign (via SANS diary)
A novel abuse of .ARPA domains for phishing and evasion
Microsoft Authenticator's withdrawal of support for rooted/jailbroken devices
Serious, patch-worthy vulnerabilities in Trend Micro’s Apex One
Announcement of a special webcast on the AirSnitch vulnerability

Key Discussion Points & Insights

1. Reversing a Fake FedEx Phishing Email

Timestamps: 00:19–02:20

SANS Diary Analysis by Xavier:
- Details a real-world phishing attempt sent to frequent FedEx users.
- Victims more likely if they handle shipping regularly, become desensitized to alerts.
- Malicious attachment is a 7-Zip file, inside which is a batch file.
- The infection chain employs:
  - Simple batch file
  - Persistence mechanisms
  - Encoded PowerShell, ultimately an AES-encrypted script
- Extraction/Decryption:
  - Keys and IVs are embedded in the binary; can be extracted.
  - Safest decryption method: run the PowerShell with breakpoints to avoid execution of payload.
  - The next payload is a ‘donutloader’ script, which loads the xWarm malware.
Notable Quote:

“In this case, like the easiest way to do it is just run the PowerShell script, but then put the right breakpoints in place so it really just decrypts it and doesn’t actually execute it.” — Johannes B. Ullrich (01:17)
- Detection tip:
  - VirusTotal scores are often unreliable for new samples.
  - Look for red-flag outbound connections: e.g., port 7030, rather than relying on hash-based detection.

2. Abusing .ARPA Domains in Phishing Campaigns

Timestamps: 02:21–04:07

Infoblox Report:
- Attackers bypass traditional lookalike domains.
- Instead, leverage IP6.ARPA (used for IPv6 reverse lookups) to host phishing sites.
- Process:
  - Use Hurricane Electric to get free IPv6 space and tunnel.
  - Delegate IP6.ARPA subdomain and control its DNS.
  - Point it to a major public DNS provider (e.g., Cloudflare).
  - Can acquire TLS certificates and operate like any standard domain.
  - Random prefixes used, but not meant for site impersonation—focus on evasion.
- Why it works:
  - DNS logs rarely scrutinize ARPA queries (usually used for reverse lookups).
  - Use of A, AAAA (quad-A), or A6 records instead of PTR could indicate abuse.
Notable Quote:

“So double check your DNS logs. And again, this comes from Infoblox.” — Johannes B. Ullrich (03:58)

3. Microsoft Authenticator Update: Rooted/Jailbroken Device Support Ending

Timestamps: 04:08–04:57

Key Change:
- Microsoft Authenticator now blocked on rooted Android devices.
- Jailbroken iOS: support ends in April (delayed from March).
Reason:
- Rooted/jailbroken devices considered insecure; app could be tampered with, leaking secrets.
Notable Quote:

“If you have a rooted or jailbroken device, then of course there’s always a chance that someone is messing with the application because some of the security guardrails around sort of applications are weakened…” — Johannes B. Ullrich (04:29)

4. Trend Micro Apex One Directory Traversal Vulnerabilities

Timestamps: 04:58–05:30

Critical Updates Out:
- Vulnerability enables remote code execution via directory traversal.
- Affects both Windows and Mac versions.
Action:
- Immediate update recommended, especially as it’s endpoint protection software directly exposed to threats.

5. Special Webcast: AirSnitch Vulnerability

Timestamps: 05:31–06:13

Announcement:
- Webcast today at 4:00pm Eastern.
- Led by SANS instructors Larry Pesky (Wi-Fi expertise) and James Lloyd Vidal (Pen testing).
- Covers an AirSnitch vulnerability discussed the previous Friday.

Notable Quotes & Memorable Moments

On phishing detection shortcomings:

“VirusTotal rates are usually not that great because the exact hashes...are not necessarily already recognized.” — Johannes B. Ullrich (02:05)
On DNS-level evasion:

“A lot of these ARPA DNS lookups are kind of overlooked, not really analyzed very closely because they’re often used for reverse lookups.” — Johannes B. Ullrich (03:39)

Important Segment Timestamps

Fake FedEx Malware Analysis: 00:19–02:20
Abusing .ARPA for Phishing: 02:21–04:07
Microsoft Authenticator Change: 04:08–04:57
Trend Micro Apex One Vulnerabilities: 04:58–05:30
AirSnitch Webcast Details: 05:31–06:13

Tone & Style

Direct, technical, and focused, with a practical tone appropriate for security professionals who need actionable intelligence.

Summary Takeaways

Phishing campaigns are growing more sophisticated, using familiar brands and uncommon infrastructure (e.g., .ARPA domains) to bypass detection.
Traditional hash detection is not enough—behavioral indicators (ports, logs, DNS anomalies) are critical.
Security products’ compatibility may change quickly—track vendor advisories to avoid lockouts.
Apply critical updates to endpoint security products without delay, especially given their exposure.
Further practical demonstrations (like the AirSnitch webcast) are available for deeper learning.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Monday, March 2, 20206 edition of the sans Internet storm centers Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida and this episode is brought to you by the SANS EDU Undergraduate Certificate Program in Applied Cybersecurity. In diaries this weekend we had one by Xavier about, Well, a fake FedEx email. The problem with these FedEx FedEx emails are to many of us they're kind of old news and it's easy to recognize. But think about it from perspective. And that's sort of how I've seen these emails work of someone that receives a lot of or reasonable number of these FedEx emails. They're dealing a lot with shipping. They're sort of a little bit desensitized to that and then maybe tricked like in this case to opening an attachment that is actually a 7 zip file. Xavier walks you through the analysis of this particular malicious email. Starts out with a simple batch file and also usual sort of persistent mechanisms, then encoded PowerShell script. In the end, it's actually an as encrypted script. Of course, the credentials here, keys and IVs are in the binary, so in that zip file. So definitely something that you can then extract in order to decrypt it. And that's sort of what Xavier walks you through here. The decryption part is probably sort of more interesting and dangerous part in some ways too, because in this case, like the easiest way to do it is just run the PowerShell script, but then put the right breakpoints in place so it really just decrypts it and doesn't actually execute it. And the next stage, which in this case, well, turns out to be a script called donutloader, it's of a basic malware loader that in this particular case does then load and execute xWarm. Just one note here, with all of these emails, the virus total rates are usually not that great because the exact hashes and such are not necessarily already recognized. But there are often some simpler things to look for, like here, for example, outbound connections in the 7,000 range. It's a port number of 7,030 here. I think that's probably a better signature, if you want to call it that way, than looking for specific hashes and the like that would identify this malware. Now, talking about phishing campaigns, Infoblox has the blog post outlining an interesting twist to how domains are being used for phishing campaigns. Of course, that's sort of one of the tricky things you have to come up with the lookalike domain name or something like that in order to then basically direct victims to your particular website. Now in this case they're not actually using lookalike domains. Instead they're using domains within the ARPA top level domains. And you probably have seen ARPA like IP6RPA, that's what they're using here. That is being used to reverse resolve IPv6 addresses. But what they're doing here is they're first going to Hurricane Electric. Hurricane Electric, not sure if you're familiar with it. They have a very nice and well performing service where you can get IPv6 address space for free and the necessary tunnels in order to use that address space. And they also allow you to basically then register your own reverse resolution using the respective IP6ARPA domain. Now that domain really behaves like any other domain. So what you can do now is you can then once you are basically now once this domain is delegated to you and you are able to set up a name server for it, you just point it to the cloudflare name server. Since you own that particular subdomain, you're able then to get TLS certificates for it and well use it just like any other domain name. What they often do in this case is like have a random letter prefix. Personally I would actually use that for example to impersonate another site, but that's not really what they're after in this case. And then they sort of have a basic simple free infrastructure in order to bootstrap their phishing site. This of course is also intended to sort of fly below the radar because a lot of these ARPA DNS lookups are kind of overlooked, not really analyzed very closely because they're often used for reverse lookups. In this case you should see an a record lookup for, or an A6 or a quad A record lookup for these domains. So that may be a little bit more an indicator here that something is wrong. It's not a pointer lookup for that particular ARPA domain, but either way, yes, it works and yes it's being used. So double check your DNS logs. And again, this comes from Infoblox. And a quick note, in case you didn't have that sort of on your radar. But if you're relying on the Microsoft Authenticator application, it will no longer work on rooted Android devices. On jailbroken iOS devices, it'll stop working in April. They originally thought about basically also breaking them in March, but they push that back for some reason. So you'll have a little bit more time if you're using iOS, but Android already shouldn't be working if the device is rooted. The reasoning behind this is that if you have a rooted or jailbroken device, then of course there's always a chance that someone is messing with the application because some of the security guardrails around sort of applications are weakened and then attacker could for example steal secrets or the like. So that's why they enforce that you can only run it on non jailbreaking, non rooted devices. And Trend Micro released a critical Update for its Apex1 application that affects the Windows and the Mac version. These are directory traversal vulnerabilities that can lead to remote code execution, so definitely keep them updated given that this is the type of application that you intend to be exposed to malicious software. So definitely get it updated. And then we also have a special webcast today on Monday. That webcast is about the Air Snitch vulnerability that I covered on Friday. It's being led by two of our greatest instructors here, Larry Pesky and James Lloyd Vidal, one of them doing a lot of our Wi Fi stuff, the other one a lot of the pen testing parts. So definitely some great content here. And it's running at 4:00pm Eastern, so that's about 10:10pm in Europe or 1:00pm in California. Well, that's it for today. Thanks for listening, thanks for liking. Thanks for subscribing to this podcast. The links to the special webcast also in the show notes and talk to you again tomorrow. Bye.