SANS Stormcast Covers FedEx Phishing Campaign, IP6.arpa Domain Abuse, and Critical Security Updates

The March 2, 2026, SANS Internet Storm Center Stormcast episode covers a malicious FedEx phishing email delivering a 7-Zip attachment containing a batch file and encoded PowerShell script, which ultimately deploys the Xwarm malware via a Donut loader. The attack exploits desensitization to shipping notifications, with decryption keys embedded in the binary, and analysts recommend monitoring unusual outbound connections on port 7300 rather than relying on hash-based detection. A separate phishing campaign abuses IP6.arpa domains by leveraging Hurricane Electric's free IPv6 tunneling service to register reverse-resolution domains, then pointing them to Cloudflare for TLS certificates, evading scrutiny by mimicking legitimate DNS lookups. Microsoft Authenticator will cease functioning on rooted Android devices immediately and on jailbroken iOS devices in April 2026 due to security risks. Trend Micro released a critical update for Apex One addressing directory traversal vulnerabilities leading to remote code execution on Windows and Mac. The episode also promotes a live webcast on the Air Snitch Wi-Fi vulnerability, scheduled for 4:00 PM Eastern.