SANS Stormcast Tuesday, April 7th, 2026: Redirects in Phishing; Internet Bug Bounty Suspended; Bluehammer; Keycloak MFA Bypass - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

SANS Stormcast Summary – April 7, 2026

Episode Overview

In today's episode, host Johannes B. Ullrich provides a concise briefing on the latest in cybersecurity, focusing on the increasing use of open redirects in phishing attacks, the temporary suspension of HackerOne’s Internet Bug Bounty in the face of AI-driven submissions, recent controversy over a Microsoft Defender vulnerability disclosure, and a significant MFA bypass vulnerability in the popular open-source tool Keycloak.

Key Discussion Points & Insights

1. Open Redirects in Phishing Emails

[00:15]

Topic: Jan (Jan Kopriva, ISC handler) expanded on Johannes’ earlier diary by researching how often phishing campaigns leverage open redirects.
Definition: An open redirect is a web vulnerability where an attacker can cause a legitimate website to redirect visitors to a malicious site.
Findings: Jan found open redirects in "about 20 to 30% roughly of different phishing emails that Jan looked at."
Insight: Attackers favor open redirects because they leverage reputable, non-compromised websites to bypass email filters, making phishing lures more convincing to users.
Notable quote:
- Johannes Ulrich ([01:08]):
  "These websites being used as a redirect here have usually a good reputation score, are not malicious, not compromised, and with such can often be used to serve as an early first hop in the phishing email chain, which does allow it to pass through many email filters."

2. HackerOne Internet Bug Bounty Suspension

[01:44]

Announcement: HackerOne suspended its Internet Bug Bounty, which focused on open-source project vulnerabilities, sharing awards between hackers and the projects.
Reason:
- Massive influx of bug reports, driven by AI-generated vulnerabilities, increasing the vetting and response workload.
- Many AI-submitted issues are now "real and being good findings," but the sheer volume creates operational strain.
Insight:
- The shift to AI-driven bug discovery is improving vulnerability quality but poses practical challenges for triage and patching.
- The program is suspended but not discontinued.
Related note:
- Daniel Stenberg, cURL's maintainer, has noted both the problem of "AI slop" (useless reports) and later, a marked improvement in AI findings—though some reported issues are of questionable relevance to the project's goals.
Notable quote:
- Johannes Ulrich ([03:09]):
  "Looks like there has been really in the last few months a substantial increase in the quality of vulnerabilities being reported by AI tools."

3. Microsoft Defender Privilege Escalation Vulnerability

[03:25]

Incident: Researcher-publicized a Microsoft Defender exploit after becoming frustrated with Microsoft's handling of the bug report.
Details:
- An undocumented proof-of-concept was published on GitHub.
- The exploit abuses a time-of-check-to-time-of-use (TOCTOU) race condition, potentially allowing privilege escalation (user → admin/system).
- Initial code was incomplete, but community researchers later fixed it and confirmed the bug.
Severity:
- No patch is available as of recording, but exploitability is not straightforward.
- Impact is privilege escalation, not remote code execution.
Notable quote:
- Johannes Ulrich ([03:46]):
  "The code as posted was at least initially not fully functional but has since been fixed... So it's definitely a valid vulnerability even though not terribly easy to exploit."

4. Keycloak MFA Bypass Vulnerability

[04:10]

Update: Keycloak, a widely-used open-source authentication server, issued patches for several vulnerabilities, including a critical one.
Vulnerability:
- Attackers can remove a second factor (MFA) from an account via a REST API call without possessing that factor.
- A threat actor with only username and password can thus disable MFA and bypass the protection entirely.
Severity:
- Although considered “moderate,” the ease of exploitation raises its actual risk level.
- Multiple other issues were patched in the latest update; users should patch promptly.
Notable quote:
- Johannes Ulrich ([04:30]):
  "An attacker who just has user man password could use this to then bypass multi factor authentication... In particular, this vulnerability also appears to be relatively easy to exploit."

Memorable Moments & Quotes

On open redirects and phishing:
"These websites being used as a redirect here have usually a good reputation score... which does allow it to pass through many email filters."
— Johannes Ulrich ([01:08])
On the AI effect in bug bounties:
"There has been really in the last few months a substantial increase in the quality of vulnerabilities being reported by AI tools."
— Johannes Ulrich ([03:09])
On Microsoft Defender exploit:
"It's definitely a valid vulnerability even though not terribly easy to exploit."
— Johannes Ulrich ([03:46])
On Keycloak MFA bypass:
"...does not actually have to have possession of the second factor in order to remove it from the account... vulnerability also appears to be relatively easy to exploit."
— Johannes Ulrich ([04:30])

Important Timestamps

[00:15] – Discussion on open redirects in phishing and research findings
[01:44] – HackerOne Internet Bug Bounty suspended; AI-generated bug influx
[03:25] – Microsoft Defender privilege escalation vulnerability disclosure
[04:10] – Keycloak MFA bypass vulnerability and patching recommendation

Conclusion

Today’s Stormcast episode highlights the evolving threat landscape:

Secure coding (especially around redirects) is critical, as phishing grows more sophisticated.
AI is transforming vulnerability discovery, bringing both efficiency and new challenges.
Responsible disclosure processes may falter under overload, leading to public proofs-of-concept.
Moderate-severity bugs in core authentication platforms can have outsized impact—timely patching is more essential than ever.

Johannes closes with a programming note: No podcast this coming Friday due to travel plans, but he’ll return with more updates tomorrow.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Tuesday, April 7, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida, and this episode is brought to you by the SANS EDU Undergraduate Certificate Program in Applied Cybersecurity. Jan today followed up on a recent diary of mine. In this diary I mentioned that we do see quite a few attackers that are scanning our honeypots for possible open redirects. There are a couple reasons why they may be doing this, and one of the suggestions was that these redirects are being used for phishing. And Jan sort of followed up on that and looked at recent phishing emails and tried to figure out how many of these recent phishing emails are using open redirects. So just to be clear about this, an open redirect is a bug vulnerability in a website that allows an attacker to essentially use this website as a conduit in a phishing attack, where the user is first being sent to the harmless website which will then automatically redirect the user to the actual phishing website. This is different from a compromised website where an attacker did add a redirect like this to the particular website. So these open redirects are indeed used quite commonly. Jan found them in about 20 to 30% roughly of different phishing emails that Jan looked at. And of course they're dangerous in so far because these websites being used as a redirect here have usually a good reputation score, are not malicious, not compromised, and with such can often be used to sort of serve as an early first hop in the phishing email chain, which does allow it to pass through many email filters. And HackerOne has announced last week that they're suspending their Internet bug bounty. What was special about the Internet bug bounty was that it was really trying to solicit bugs and security vulnerabilities really for open source projects. And then the bounty was actually split between the hacker who found the vulnerability and the open source program. Now the reason behind that suspension is, well, could have guessed it, that due to AI generated bugs, they have a huge increase in the number of vulnerabilities being reported. However, the story isn't all bad. This is also about many of these vulnerabilities being real and being good findings, but it just takes more time to basically vet them. And of course then for open source projects to fix these vulnerabilities, which is why this program, at least for now, is suspended, it's not discontinued. There was a related post from the maintainer of Curl. Now he has been very vocal about some of the AI slop he received in the past, but according to him lately some of the vulnerabilities or really issues being reported are real and certainly valuable. The problem there is just that some of them are really more functional issues and maybe nothing that really should be fixed depending on really the use case of this fairly unique tool curl which sometimes is supposed to act a little bit different or send some invalid HTTP requests. So we'll see where this all goes. But it looks like there has been really in the last few months a substantial increase in the quality of vulnerabilities being reported by AI tools and talking about bug bounties and how they sometimes can go wrong, there was apparently a dispute between a researcher and microso about a vulnerability in Microsoft Defender. The end result was that the researcher has now published an undocumented proof of concept to GitHub and basically stated, well, this researcher is kind of sick in dealing with Microsoft on this. They're just going to make it public because, well, basically they gave up waiting for Microsoft to either fix it or acknowledge the contribution. And like I said, there wasn't really any documentation how the exploit really worked. However, since then a couple other researchers have figured out that this particular exploit does abuse time of use, time of check or race condition issue in Microsoft Defender and as a result a normal user can either become admin or system. That depends a little bit on the platform and people had slightly different results here that I saw posted to various social media sites. Also the code as posted was at least initially not fully functional but has since been fixed by these researchers who ran it. So it's definitely a valid vulnerability even though not terribly easy to exploit. And yes, just a privilege escalation vulnerability. And of course no patch available at this point and the popular open source authentication server Keycloak has released an update. Usually I don't talk sort of about moderate severity vulnerabilities, but this one is kind of interesting. It does allow an attacker to remove a second factor from an account that is authenticated via keycloak. The bug here is a vulnerability in the REST API where an attacker can essentially send a request and does not actually have to have possession of the second factor in order to remove it from the account. And of course an attacker who just has userman password could use this to then bypass multi factor authentication. There are a number of other vulnerabilities being patched as updates, so definitely take it serious and do update it. In particular, this vulnerability also appears to be relatively easy to exploit. Well, and this is it for today. Just a quick note that there will be no podcast on Friday this week due to my travel schedule. But other than that, hope you're leaving good reviews in your favorite podcast platform and talk to you again tomorrow. Bye.