On August 11th the SANS institute suffered a data breach due to a phishing email. The attack caused 513 emails to be forwarded to the attackers. The emails contained 28,000 records of PII (personally identifiable information). SANS has since released the IOCs (indicators of compromise) for the phishing attack. The phishing email pretended to be a file shared by a SANS SharePoint service. The malicious file was an Excel file called “CopyofJulyBonus24JUL2020.xls. The email prompted the user to click on the ‘Open’ button to access the file. Once the user clicked ‘Open’ it redirected them to a malicious website that was spoofed to look like an Office 365 login page. Once the user entered their O365 credentials and addon named ‘Enable4Excel’ was installed. This addon would then create a forwarding rule in the users Outlook named ‘Anti Spam Rule.’ This rule monitored for specific keywords in emails. Once a match was found in an email, it would be forwarded to an external address where the attackers could retrieve the emails. The words that were being monitored were:
agreement | Bank | bic | capital call | cash | Contribution | dividend | fund | iban | Payment | purchase | shares | swift | transfer | Wire | wiring info
This phishing campaign was conducted July 24th, 2020. According to the article, SANS was not the only company targeted. 2 other companies uploaded similar emails to VirusTotal.
https://www.bleepingcomputer.com/news/security/sans-shares-details-on-attack-that-led-to-their-data-breach/
Leave a Reply
You must be logged in to post a comment.