SANS Stormcast Monday, November 24th, 2025: CSS Padding in Phishing; Oracle Identity Manager Scans Update;

November 23, 2025

Episode Transcript

Use of CSS stuffing as an obfuscation technique?
Phishing sites stuff their HTML with benign CSS code. This is likely supposed to throw of simple detection engines
https://isc.sans.edu/diary/Use%20of%20CSS%20stuffing%20as%20an%20obfuscation%20technique%3F/32510
Critical Oracle Identity Manager Flaw Possibly Exploited as Zero-Day
Early exploit attempts for the vulnerability were part of Searchlight Cyber s research effort
https://www.securityweek.com/critical-oracle-identity-manager-flaw-possibly-exploited-as-zero-day/
ClamAV Cleaning Signature Database
ClamAV will significantly clean up its signature database
https://blog.clamav.net/2025/11/clamav-signature-retirement-announcement.html

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Monday, November 24, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu undergraduate certificate program in cybersecurity fundamentals. Jan came across an interesting new technique how attackers are possibly attempting to better obfuscate their phishing pages. This started with a standard email phish, nothing really all too exciting here. Now one of the goals often of attackers is to make the email or the webpage look different to the user than it looks to an automated system. And that's how we sometimes have cascading style sheets being used to, for example, mark certain text as invisible. But then of course a simple detection engine may not necessarily notice this. Here the cascading style sheets are used a little bit different. What Jan suggests is that in this case the attacker just added cascading style sheets to make the page larger. And with that less likely going to be detected as malicious. The reason behind this is twofold. First of all, some detection engines do have an upper limit as to how much text or so they're actually going to scan. So just by adding a lot of text and here I think we're dealing with about half a megabyte. They may attempt to sort of exceed that boundary. The other thing is that the cascading style sheet being added to the HTML page here is actually, well, just a fairly common bootstrap cascading style sheet. It's copy paste. It's not included as it's usually being done. So it's not necessarily something where an attacker just added it because they may need a feature. And apparently they're not actually using any features from this cascading style sheet. They're really just using it to pad the content. And by padding it with very common benign content, of course, they may also slip past some detection engines. And last week I talked about the critical vulnerability in Oracle Identity Manager where Searchlight Cyber had an article about this vulnerability and basically explained in detail how to exploit this vulnerability. I noted that we did actually see a couple exploit attempts against this vulnerability prior to the Oracle patch, but also prior to Searchlight Cyber releasing anything about this. Well, we now have an article here by Security Week from Edward Kovacs who did actually reach out to Searchlight Cyber and they state the IP addresses from which we detected these attacks prior to the release. These actually were part of Searchlight Cyber where their research team essentially was scanning to figure out how many vulnerable systems there are likely. And then we have an update from the Clam AV project. Clam AV, the very popular open source anti -malware engine. Well, like many projects that have been around for a while, Clam AV over 20 years now that has been out there, they have a lot of signatures that accumulate over the years that are no longer really relevant. So in December, they're going to remove a lot of the older, no longer relevant signatures. The reason this sort of matters is that as a result, the signature files will be significantly shorter, like about a third or half of the original size, depending on how you're exactly downloading them. And if you have any kind of checks in your update scripts that make sure that the new version isn't significantly shorter than the old version, like to avoid partial downloads, for example, well, you may get some false positives from these scripts, these checks. So just in case you see this, that you know why this is happening. Well, and that's it for today. Just a quick note, we do have the Thanksgiving holiday coming up here in the US and there will only be three podcasts this week, Monday, Tuesday, Wednesday, this being the Monday podcast. I'm also trying to keep them a little bit shorter if possible. Hope that the news cycle sort of is cooperating here and we can keep it a little bit easier for everybody. Well, that's it. Thanks for listening. Thanks for subscribing. Thanks for leaving comments about this podcast and talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show