Connect with us

Hi, what are you looking for?



SANS Institute Says Multiple Employees Targeted in Recent Attack

The SANS Institute says the recently disclosed security incident involved phishing emails being sent to several of its employees.

The SANS Institute says the recently disclosed security incident involved phishing emails being sent to several of its employees.

The attack was discovered on August 6 and resulted in 28,000 records of personally identifiable information (PII) being forwarded to an external, unknown email address. A total of 513 emails were forwarded, but most of them did not include important information.

Following the initial disclosure of the security incident, SANS published indicators of compromise associated with it, revealing that, on July 24, the attackers sent a phishing email to multiple employees, although only one of them fell to the trick.

“[T]he phishing email enticed a single user to install a malicious Office 365 add-in for their account. The O365 add-in caused a forwarding rule to be configured on the victim’s account, which resulted in 513 emails being forwarded to an unknown external email address,” SANS explains.

The email, which carried the subject “File ‘Copy of sans July Bonus 24JUL2020.xls’ has been shared with <recipient>,” appeared to come from an Office 365 asset, the company notes.

As part of the attack, the victim was lured into clicking an “Open” button. This resulted in the malicious Office 365 app being installed, to configure an email forwarding rule containing keywords associated with financial data.

Named Enable4Excel, the malicious Office 365 add-in closely resembles a legitimate Salesforce add-in called Enabler4Excel, SANS also explains.

Advertisement. Scroll to continue reading.

“Based on the users who received the phishing email and the data the attacker was interested in acquiring via the malicious email forwarding rule, there is no indication that this directly targeted the SANS organization or its customers. The attack appears to have been opportunistic with financial theft the intent,” SANS says.

Last week, the company reported that the data the attackers accessed did not contain passwords or financial information, such as credit card data. The company is in the process of informing the affected users about the incident, but says it did not alert the authorities, instead choosing to run its own investigation.

“[T]he SANS data protection team considered whether any legal requirements were triggered, whether in respect of US or EU laws. We concluded that they were not. A full risk assessment was made involving the nature and quality of the data and whether the risks around this data were potentially significant to our customers,” SANS says.

The company also revealed that limited professional contact data was affected in the incident, that most of it could have been found in the public domain, and that, in its opinion, the incident did not meet the legal reporting criteria.

“Even though SANS was not legally required to report the incident, SANS nonetheless notified its affected customers in the interests of full transparency, as a matter of good practice, and to ensure that our affected customers had relevant information at hand,” the company notes.

Related: SANS Institute Says 28,000 User Records Exposed in Email Breach

Related: LiveAuctioneers Data Breach Impacts 3.4 Million Users

Related: Cognizant Says Data Was Stolen in April Ransomware Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...