SANS training company was hacked via a simple phishing email

Phishing remains one of the most effective cyberattack variants, and SANS can be a proof of that. Specialists mention that the cybersecurity training firm was the victim of a phishing attack after one of its employees received a simple email.

SANS is one of the world’s leading IT security training firms, so it’s unusual for many to have fallen into a phishing campaign so easily.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es sans12082020.jpg
SOURCE: SANS

Through an alert posted on its website SANS acknowledged that an employee fell into a trap that allowed threat actors to obtain login credentials and access to an enterprise email account. The incident was detected on August 6 during a routine review: “We identified a single phishing email as the attack vector. As a result, one of our employees’ email accounts was affected. We believe that there are no other accounts or systems compromised,” the SANS alert mentions.

After gaining access, the attacker configured a forwarding rule for any email received by the compromised account to an external address, in addition to installing a malicious Office 365 plugin. The company has not revealed any further details about the plugin, although attackers likely have used Office 365 Oauth to gain persistence in the email account.   

In total, 513 emails were forwarded, of which around 28,000 personal records can be obtained from the company’s employees and customers. SANS states that the information provided does not include passwords or financial data, although full names, email addresses, telephone numbers, addresses, and more may be found.

Regarding the incident investigation process, it is SANS staff the same in charge of dealing with the incident. The company ensures that all necessary measures have been taken to ensure that similar incidents are not repeated in the future. Affected users and employees are being notified and should be aware of any new phishing incidents using the compromised information.