The SANS Institute is one of the largest organizations that offer information security training and security certification to users worldwide.
In a notification posted recently on their site, the organization states that a phishing attack that target an employee allowed a threat actor to gain access to their email account.



According to SANS data incident notification [1], the compromise was discovered on August 6th:

We have identified a single phishing e-mail as the vector of the attack. As a result of the e-mail, a single employee's email account was impacted. Aside from the affected user, we currently believe that no other accounts or systems at SANS were compromised

The attacker configured a rule to formware all email received in the compromised account to an "unknown external email address" and installed a malicious Office 365 add-on.


Every incident could be an educational opportunity

But, here's the genius bit: SANS will host a webcast that includes information about this incident that would be useful to the security community.

SANS digital forensics instructors are heading up the investigation. We are working to ensure that no other information was compromised and to identify opportunities to harden our systems and improve our response. When the investigation is complete, we will run a webcast to outline our learnings if there is information that we think would be useful to the community.

Furthermore, SANS also shared details on attack that led to their data breach, in a interesting article on its website [2] containing a lot of Indicator of Compromise (IoCs):

On July 24, 2020, several employees from various parts of the business received an email with the subject:

File “Copy of sans July Bonus 24JUL2020.xls” has been shared with <recipient>

The sender name appeared to come from an Office 365 asset with the name:

no-reply@sharepointonline.com

The recipient is enticed to click the “Open” button, which initiates the installation of a malicious Office 365 app. Once installed, the app configures an email forwarding rule with numerous keywords associated with financial data.


References

  1. Data Incident 2020 - SANS
  2. SANS Data Incident 2020 – Indicators of Compromise