[BreachExchange] SANS Institute Says Multiple Employees Targeted in Recent Attack

Tue Aug 18 09:49:30 EDT 2020

https://www.securityweek.com/sans-institute-says-multiple-employees-targeted-recent-attack

The SANS Institute says the recently disclosed security incident
involved phishing emails being sent to several of its employees.

The attack was discovered on August 6 and resulted in 28,000 records
of personally identifiable information (PII) being forwarded to an
external, unknown email address. A total of 513 emails were forwarded,
but most of them did not include important information.

Following the initial disclosure of the security incident, SANS
published indicators of compromise associated with it, revealing that,
on July 24, the attackers sent a phishing email to multiple employees,
although only one of them fell to the trick.

“[T]he phishing email enticed a single user to install a malicious
Office 365 add-in for their account. The O365 add-in caused a
forwarding rule to be configured on the victim’s account, which
resulted in 513 emails being forwarded to an unknown external email
address,” SANS explains.

The email, which carried the subject “File ‘Copy of sans July Bonus
24JUL2020.xls’ has been shared with <recipient>,” appeared to come
from an Office 365 asset, the company notes.

As part of the attack, the victim was lured into clicking an “Open”
button. This resulted in the malicious Office 365 app being installed,
to configure an email forwarding rule containing keywords associated
with financial data.

Named Enable4Excel, the malicious Office 365 add-in closely resembles
a legitimate Salesforce add-in called Enabler4Excel, SANS also
explains.

“Based on the users who received the phishing email and the data the
attacker was interested in acquiring via the malicious email
forwarding rule, there is no indication that this directly targeted
the SANS organization or its customers. The attack appears to have
been opportunistic with financial theft the intent,” SANS says.

Last week, the company reported that the data the attackers accessed
did not contain passwords or financial information, such as credit
card data. The company is in the process of informing the affected
users about the incident, but says it did not alert the authorities,
instead choosing to run its own investigation.

“[T]he SANS data protection team considered whether any legal
requirements were triggered, whether in respect of US or EU laws. We
concluded that they were not. A full risk assessment was made
involving the nature and quality of the data and whether the risks
around this data were potentially significant to our customers,” SANS
says.

The company also revealed that limited professional contact data was
affected in the incident, that most of it could have been found in the
public domain, and that, in its opinion, the incident did not meet the
legal reporting criteria.

“Even though SANS was not legally required to report the incident,
SANS nonetheless notified its affected customers in the interests of
full transparency, as a matter of good practice, and to ensure that
our affected customers had relevant information at hand,” the company
notes.