On August 11th the SANS institute suffered a data breach due to a phishing email. The attack caused 513 emails to be forwarded to the attackers. The emails contained 28,000 records of PII (personally identifiable information). SANS has since released the IOCs (indicators of compromise) for the phishing attack. The phishing email pretended to be a file shared by a SANS SharePoint service. The malicious file was an Excel file called \u201cCopyofJulyBonus24JUL2020.xls. The email prompted the user to click on the \u2018Open\u2019 button to access the file. Once the user clicked \u2018Open\u2019 it redirected them to a malicious website that was spoofed to look like an Office 365 login page. Once the user entered their O365 credentials and addon named \u2018Enable4Excel\u2019 was installed. This addon would then create a forwarding rule in the users Outlook named \u2018Anti Spam Rule.\u2019 This rule monitored for specific keywords in emails. Once a match was found in an email, it would be forwarded to an external address where the attackers could retrieve the emails. The words that were being monitored were:<\/p>\n
agreement | Bank | bic | capital call | cash | Contribution | dividend | fund | iban | Payment | purchase | shares | swift | transfer | Wire | wiring info<\/p>\n
This phishing campaign was conducted July 24th<\/sup>, 2020. According to the article, SANS was not the only company targeted. 2 other companies uploaded similar emails to VirusTotal.<\/p>\n https:\/\/www.bleepingcomputer.com\/news\/security\/sans-shares-details-on-attack-that-led-to-their-data-breach\/<\/p>\n","protected":false},"excerpt":{"rendered":" On August 11th the SANS institute suffered a data breach due to a phishing email. The attack caused 513 emails to be forwarded to the attackers. The emails contained 28,000 records of PII (personally identifiable information). SANS has since released the IOCs (indicators of compromise) for the phishing attack. The phishing email pretended to be […]<\/p>\n","protected":false},"author":25060,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-6623","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-uncategorized","7":"entry"},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec702fall2020\/wp-json\/wp\/v2\/posts\/6623","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec702fall2020\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec702fall2020\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec702fall2020\/wp-json\/wp\/v2\/users\/25060"}],"replies":[{"embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec702fall2020\/wp-json\/wp\/v2\/comments?post=6623"}],"version-history":[{"count":1,"href":"https:\/\/community.mis.temple.edu\/mis5211sec702fall2020\/wp-json\/wp\/v2\/posts\/6623\/revisions"}],"predecessor-version":[{"id":6624,"href":"https:\/\/community.mis.temple.edu\/mis5211sec702fall2020\/wp-json\/wp\/v2\/posts\/6623\/revisions\/6624"}],"wp:attachment":[{"href":"https:\/\/community.mis.temple.edu\/mis5211sec702fall2020\/wp-json\/wp\/v2\/media?parent=6623"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec702fall2020\/wp-json\/wp\/v2\/categories?post=6623"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/community.mis.temple.edu\/mis5211sec702fall2020\/wp-json\/wp\/v2\/tags?post=6623"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}