SANS Stormcast – March 2nd, 2026

Host: Johannes B. Ullrich
Main Theme: Rapid-fire coverage of late-breaking cybersecurity news, focusing on new phishing techniques, vulnerabilities, and updates critical for practitioners to know as the week begins.

Episode Overview

This episode delivers concise analyses of current security events worth watching, including:

• A deep dive into a cleverly engineered fake FedEx phishing campaign (via SANS diary)
• A novel abuse of .ARPA domains for phishing and evasion
• Microsoft Authenticator's withdrawal of support for rooted/jailbroken devices
• Serious, patch-worthy vulnerabilities in Trend Micro’s Apex One
• Announcement of a special webcast on the AirSnitch vulnerability

Key Discussion Points & Insights

1. Reversing a Fake FedEx Phishing Email

Timestamps: 00:19–02:20

• SANS Diary Analysis by Xavier:

  • Details a real-world phishing attempt sent to frequent FedEx users.
  • Victims more likely if they handle shipping regularly, become desensitized to alerts.
  • Malicious attachment is a 7-Zip file, inside which is a batch file.
  • The infection chain employs:
    • Simple batch file
    • Persistence mechanisms
    • Encoded PowerShell, ultimately an AES-encrypted script
  • Extraction/Decryption:
    • Keys and IVs are embedded in the binary; can be extracted.
    • Safest decryption method: run the PowerShell with breakpoints to avoid execution of payload.
    • The next payload is a ‘donutloader’ script, which loads the xWarm malware.

  Notable Quote:

  “In this case, like the easiest way to do it is just run the PowerShell script, but then put the right breakpoints in place so it really just decrypts it and doesn’t actually execute it.” — Johannes B. Ullrich (01:17)

  • Detection tip:
    • VirusTotal scores are often unreliable for new samples.
    • Look for red-flag outbound connections: e.g., port 7030, rather than relying on hash-based detection.

2. Abusing .ARPA Domains in Phishing Campaigns

Timestamps: 02:21–04:07

• Infoblox Report:

  • Attackers bypass traditional lookalike domains.
  • Instead, leverage IP6.ARPA (used for IPv6 reverse lookups) to host phishing sites.
  • Process:
    • Use Hurricane Electric to get free IPv6 space and tunnel.
    • Delegate IP6.ARPA subdomain and control its DNS.
    • Point it to a major public DNS provider (e.g., Cloudflare).
    • Can acquire TLS certificates and operate like any standard domain.
    • Random prefixes used, but not meant for site impersonation—focus on evasion.
  • Why it works:
    • DNS logs rarely scrutinize ARPA queries (usually used for reverse lookups).
    • Use of A, AAAA (quad-A), or A6 records instead of PTR could indicate abuse.

  Notable Quote:

  “So double check your DNS logs. And again, this comes from Infoblox.” — Johannes B. Ullrich (03:58)

3. Microsoft Authenticator Update: Rooted/Jailbroken Device Support Ending

Timestamps: 04:08–04:57

• Key Change:

  • Microsoft Authenticator now blocked on rooted Android devices.
  • Jailbroken iOS: support ends in April (delayed from March).

• Reason:

  • Rooted/jailbroken devices considered insecure; app could be tampered with, leaking secrets.

  Notable Quote:

  “If you have a rooted or jailbroken device, then of course there’s always a chance that someone is messing with the application because some of the security guardrails around sort of applications are weakened…” — Johannes B. Ullrich (04:29)

4. Trend Micro Apex One Directory Traversal Vulnerabilities

Timestamps: 04:58–05:30

• Critical Updates Out:
  • Vulnerability enables remote code execution via directory traversal.
  • Affects both Windows and Mac versions.
• Action:
  • Immediate update recommended, especially as it’s endpoint protection software directly exposed to threats.

5. Special Webcast: AirSnitch Vulnerability

Timestamps: 05:31–06:13

• Announcement:
  • Webcast today at 4:00pm Eastern.
  • Led by SANS instructors Larry Pesky (Wi-Fi expertise) and James Lloyd Vidal (Pen testing).
  • Covers an AirSnitch vulnerability discussed the previous Friday.

Notable Quotes & Memorable Moments

• On phishing detection shortcomings:

  “VirusTotal rates are usually not that great because the exact hashes...are not necessarily already recognized.” — Johannes B. Ullrich (02:05)

• On DNS-level evasion:

  “A lot of these ARPA DNS lookups are kind of overlooked, not really analyzed very closely because they’re often used for reverse lookups.” — Johannes B. Ullrich (03:39)

Important Segment Timestamps

• Fake FedEx Malware Analysis: 00:19–02:20
• Abusing .ARPA for Phishing: 02:21–04:07
• Microsoft Authenticator Change: 04:08–04:57
• Trend Micro Apex One Vulnerabilities: 04:58–05:30
• AirSnitch Webcast Details: 05:31–06:13

Tone & Style

Direct, technical, and focused, with a practical tone appropriate for security professionals who need actionable intelligence.

Summary Takeaways

• Phishing campaigns are growing more sophisticated, using familiar brands and uncommon infrastructure (e.g., .ARPA domains) to bypass detection.
• Traditional hash detection is not enough—behavioral indicators (ports, logs, DNS anomalies) are critical.
• Security products’ compatibility may change quickly—track vendor advisories to avoid lockouts.
• Apply critical updates to endpoint security products without delay, especially given their exposure.
• Further practical demonstrations (like the AirSnitch webcast) are available for deeper learning.