TRENDING TOPICS MAR 17, 2025

CSS Exploitation in Spam and Tracking Attacks  

Hackers are finding new ways to sneak dangerous emails past spam filters and track what people do with their messages. One method they use involves CSS, a tool generally meant for designing web pages. By tweaking specific CSS settings, they can make parts of an email invisible to the reader while keeping it readable by the email system. For example, they use tricks like text indent and opacity to hide links or extra words that help their emails avoid being flagged as spam. They also mix hidden text and unnecessary content inside the email code to confuse security systems, making it harder for email filters to recognize and block phishing emails. This means more fake emails pretending to be from trusted sources end up in people's inboxes, increasing the chances of someone clicking on a dangerous link. Beyond hiding content, attackers secretly use CSS to gather information about the person receiving the email. They do this through features like the @media rule, which allows them to detect details about the reader’s device, such as screen size, color settings, and even what email app they use. This might seem harmless, but it helps hackers track whether someone has opened or printed an email, and they can use this data to target people more effectively in future scams. Usually, monitoring users this way would require JavaScript, but because email services often block JavaScript for security reasons, hackers use CSS instead. This kind of tracking can be dangerous because it allows criminals to build a profile of their target without ever realizing it. To stay safe, companies and individuals should use advanced email security tools to detect hidden tricks in messages and consider using privacy tools that block CSS-based tracking

  

Update: Cloud Storage Ransomware: A Growing Threat  

A recent Palo Alto Networks Unit 42 report revealed that 66% of cloud storage buckets contain sensitive data, making them prime targets for ransomware attacks. These attacks are not always carried out with malware; instead, cybercriminals have learned to exploit the built-in security features of cloud platforms to lock organizations out of their data. The SANS Institute has highlighted that attackers can misuse default storage settings and security controls provided by cloud services, leading to devastating consequences. Researchers have demonstrated how threat actors can encrypt cloud storage buckets using legitimate AWS security features like S3 SSE-C encryption and KMS keys with external key material. The growing concern is that attackers don’t need to create new exploits—they are simply using cloud security tools in unintended ways, making these attacks harder to detect and prevent. Organizations must take proactive security measures to defend against these evolving threats instead of assuming that cloud providers will protect their data. Understanding cloud security controls is critical—many users are familiar with personal backup services like OneDrive and iCloud. Still, enterprise cloud storage solutions such as Amazon S3, Azure Storage, and Google Cloud Storage do not enable file recovery by default. Security teams must also restrict unsupported encryption methods, such as AWS S3 SSE-C and AWS KMS external key material, as they allow attackers complete control over encryption keys. Enabling backups, object versioning, and object locking can prevent permanent data loss, but these features must be manually turned on. Since cloud security comes at a cost, data lifecycle policies should be used strategically to balance security and expenses. However, organizations must be cautious, as attackers have abused lifecycle policies in past ransomware campaigns to quickly force victims into paying ransoms. To avoid these threats, companies must take control of their cloud security settings and assume responsibility for protecting their data. 

 

Update: Malicious Microsoft OAuth Apps Targeting 365 Accounts 

Cybercriminals use fraudulent Microsoft OAuth apps disguised as Adobe Acrobat, Adobe Drive, and DocuSign to steal Microsoft 365 credentials and distribute malware. Proofpoint researchers discovered these highly targeted attacks have been directed at government, healthcare, supply chain, and retail organizations across the U.S. and Europe. The attackers send phishing emails from compromised charity and small business email accounts, tricking recipients into granting OAuth app permissions. These apps request profile, email, and openid permissions, which might seem harmless but allow attackers to collect full names, user IDs, profile pictures, and primary email addresses. Once permission is granted, victims are redirected to phishing pages designed to steal Microsoft 365 credentials or deliver malware. The attacks leverage ClickFix, a social engineering technique that tricks users into interacting with malicious pages. Within a minute of authorization, Proofpoint observed suspicious login activity on victims' Microsoft 365 accounts, indicating immediate credential theft. While the malware being deployed remains unidentified, the technique mirrors previous OAuth-based account hijacking campaigns, proving that OAuth remains a powerful attack vector. Users are advised to review and revoke unrecognized OAuth apps via myapplications[.]microsoft[.]com and avoid granting permissions to unknown applications. Microsoft 365 administrators can restrict user consent to third-party OAuth apps through the Enterprise Applications settings, significantly reducing the risk of unauthorized account access. 

   

Apache Tomcat RCE Vulnerability Exploited in the Wild 

A critical remote code execution (RCE) vulnerability in Apache Tomcat, identified as CVE-2025-24813, is actively exploited, allowing attackers to take full control of affected servers with a single PUT request. Security researchers confirmed that hackers are using publicly available proof-of-concept (PoC) exploits, which surfaced just 30 hours after the vulnerability was disclosed. The attack works by sending a base64-encoded Java payload through a PUT request, storing it in Tomcat's session storage, and triggering execution via a GET request with a manipulated JSESSIONID cookie. Because base64 encoding helps evade traditional security filters, most intrusion detection systems fail to catch the exploit. The flaw affects Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2, with Apache urging users to update to patched versions (9.0.99+, 10.1.35+, and 11.0.3+) immediately. The vulnerability is triggered when partial PUT requests are enabled, the default servlet is writable, and sensitive files are stored within public directories, making exploitation straightforward in many setups. The lack of authentication requirements further increases the risk, allowing attackers to plant backdoors, modify configurations, and execute arbitrary code. While immediate patching is the best defense, mitigation steps include disabling partial PUT support, ensuring the default servlet is set to read-only, and keeping sensitive files away from public upload paths. Security experts warn that this may be the first of many RCE vulnerabilities related to Tomcat's partial PUT handling, with attackers likely to expand their methods to deploy malicious JSP files and compromise systems beyond session storage. Organizations using Apache Tomcat must act quickly to secure their environments before attackers escalate their tactics.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.