SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday Mar 4th: Mark of the Web Details; Sharepint and Click-Fix Phishing; Paragon Partionmanager BYOVD Exploit
Mar 4, 2025
Discover the nuances of the 'Mark of the Web' in Windows, revealing how it stores information like source URLs and referrers. Dive into a crafty phishing attack that exploits SharePoint via the Microsoft Graph API, luring users to execute harmful commands. Learn about a critical vulnerability in Paragon Partition Manager that enables attackers to escalate privileges for ransomware deployment, even without the software installed. Stay informed on these pressing cybersecurity threats!
AI Snips
Chapters
Transcript
Episode notes
Mark of the Web Details
- The "Mark of the Web" (MotW) is a Windows feature indicating a file's internet origin, prompting warnings for executables.
- It's implemented as an alternate data stream, causing limitations with certain file systems and archive utilities.
HTML Email Phishing
- Recent phishing attacks used HTML email attachments with error messages, prompting users to copy-paste PowerShell scripts.
- This bypasses typical email security measures, as the HTML itself doesn't contain traditionally malicious elements.
Paragon Partition Manager Exploit
- Update Paragon Partition Manager and be cautious of its driver, even without the software installed, due to a privilege escalation vulnerability.
- Microsoft added the vulnerable driver to its block list, but additional security measures are recommended.