The SANS Institute, a leading provider of cybersecurity training and certification services, has suffered a phishing attack in which the email account of one of its employees was compromised. The phishing attack was detected on August 6, 2020 during a review of its email system configuration.
The SANS Institute issued a statement confirming only a single email account was compromised, which was the result of one employee responding to a single phishing email. After gaining access to the account, the attacker set up a mail forwarding rule which sent all emails received in the account to be forwarded to an unknown email address. A malicious Office 365 addon was also installed on the account.
In total, 513 emails were forwarded to the attacker’s email account. An analysis of those emails revealed they contained the personally identifiable information of 28,000 SANS Institute members. The emails contained information such as names, email addresses, phone numbers, addresses, company names, and job titles.
Since email addresses have been obtained by an individual who conducts phishing attacks, all affected members have been advised to exercise caution with emails and to be on high alert in case they too are sent targeted phishing emails. Those emails could well be personalized, using the data detailed in the stolen emails.
A full forensic investigation is currently underway to determine whether the attacker compromised any other systems. The investigation is being conducted internally by the SANS Institute’s digital forensics team.
The SANS Institute said it will be holding a webcast on the incident and will be using it as an opportunity to help the greater security community.
While the phishing attack will be embarrassing for the SANS Institute, the incident shows that even individuals who have receive a high level of training can fall for phishing emails on occasion, demonstrating the importance of having multiple layers of protection, monitoring email systems for signs of compromise, and for everyone to be constantly alert to the threat of a phishing attack.