The SANS cybersecurity training organization has suffered a data breach after one of their employees fell victim to a phishing attack.
The SANS Institute is one of the largest organizations that offer information security training and security certification to users worldwide.
In a notification posted to their site today, SANS states that one of their employees fell for a phishing attack that allowed a threat actor to gain access to their email account.
This compromise was discovered on August 6th as part of a review of their organization's email configuration.
"We have identified a single phishing e-mail as the vector of the attack. As a result of the e-mail, a single employee's email account was impacted. Aside from the affected user, we currently believe that no other accounts or systems at SANS were compromised," states the SANS data incident notification.
The threat actor then proceeded to configure a rule that forwarded all email received in this account to an "unknown external email address" and installed a malicious Office 365 add-on.
SANS has not provided much information about this add-on, but it likely an Office 365 Oauth app used to gain persistence to the email account.
Example Office 365 OAuth app
This configured rule forwarded a total of 513 emails, with some containing a total of approximately 28,000 records of personal information (PII) for SANS members.
This information does not include passwords or financial information such as credit cards, does include email addresses, full names, phone numbers, work title, company names, and physical addresses.
SANS instructors are conducting the investigation
As a cybersecurity training organization, few entities are better equipped to perform the incident response into this compromise using their own personnel.
As such, SANS states that their digital forensics instructions are heading up the investigation and are working to make sure no other systems are compromised and harden their existing systems and security.
As an educational opportunity, SANS states that they will host a webcast that includes information about this incident that would be useful to the greater security community.
"SANS digital forensics instructors are heading up the investigation. We are working to ensure that no other information was compromised and to identify opportunities to harden our systems and improve our response. When the investigation is complete, we will run a webcast to outline our learnings if there is information that we think would be useful to the community."
Those affected are being notified and should be on the lookout for targeted phishing attacks utilizing the stolen information.
BleepingComputer has reached out to SANS to learn more about the phishing attack and whether it was targeted but has not heard back.