SANS Stormcast Monday, June 8th, 2026: Wetransfer Phish; Spying Smart TV; Dashlane Brute Force

The latest Stormcast episode spotlights a WeTransfer‑based phishing campaign that disguises a malicious downloader behind a legitimate file‑transfer link. The email directs victims to a JavaScript payload that launches PowerShell commands, ultimately delivering an image‑styled MSI wallpaper. Attackers embed a Base64‑encoded script at the end of the image, using light obfuscation to evade automated scanners. By exploiting trusted cloud services such as Cloudflare‑hosted URLs, the threat bypasses simple URL filtering. Organizations should monitor unexpected WeTransfer traffic, enforce content‑inspection on outbound scripts, and consider selective blocking when the service isn’t required.

Another focus is the abuse of smart TVs as low‑profile residential proxies. Bright Data markets an API that grants access to roughly 400 million home IP addresses, allowing AI companies to scrape copyrighted material while sidestepping Cloudflare’s data‑center filters. The service injects proxy code into TV firmware and, in some cases, iOS SDKs, activating only when the device is idle to remain invisible. Included Security published the associated domain list, enabling DNS‑based blocking, though the list may evolve. Enterprises should inventory always‑on IoT devices, segment them on separate VLANs, and apply strict egress filtering to mitigate proxy misuse.

The episode closes with Dashlane’s disclosure of a brute‑force attack that exposed about twenty encrypted vaults. Attackers repeatedly guessed the six‑digit device‑addition code, a one‑in‑a‑million chance per try, eventually compromising accounts and forcing the vaults to be decrypted offline. Dashlane plans to introduce global rate limits and per‑account attempt caps, but the incident underscores the inherent risk of cloud‑synchronised password managers. Vendors must harden public APIs, enforce multi‑factor authentication, and monitor anomalous login patterns. Users should enable additional verification steps and consider offline vault storage for high‑value credentials.