On August 11, 2020 cybersecurity training provider SANS Institute announced that it had suffered a data breach. The breach was a result of a consent phishing campaign launched against the institute’s employees in late July. Consent phishing refers to the attempt by cybercriminals to trick their targets into installing a malicious application and/or grant it permissions it requires to perform harmful actions. Only one employee took the bait which led to over 500 of the organization’s email being sent to the attackers, exposing 28,000 records of personally identifiable information including names, work titles, physical addresses, and email addresses of training attendees.
The breach was discovered on August 6 after the security team found a suspicious forwarding rule during a routine review of email configuration. The rule was immediately blocked and an investigation was launched to uncover the origin of the forwarding rule. The investigation revealed that attackers had sent several employees of the institute an expertly crafted email that looked like a legitimate file share from SharePoint via Office 365. The email entices the employees to click on a link that installs malicious add-in. Only one employee authorized this installation and was further asked to grant the special permissions required to set up a forwarding rule. With the permissions granted, the attackers then created a rule to forward members’ emails automatically to the attackers’ email address via the add-in.
The breach at the cybersecurity training authority proves that anyone can be targeted and fall victim to these phishing attacks. We are reminded that no organization is unsusceptible to security slip-ups, it takes just one uninformed, negligent, or distracted employee to trigger an incident that could have tremendous consequences. To help mitigate the risks, organizations must develop and implement a continuous security monitoring plan and a resilient incident response plan. Organizations must be able to quickly identify and contain security incidents and events in order to limit their impact. The regular review of email configuration at the SANS Institute was key to discovering the breach. Had it not been implemented; the data leak might have gone on for longer. Also, the institute response has been commendable. The quick elimination of the attacker’s access to the network, the prompt determination of the extent of the data leak and the communication of such to the affected persons as well as the transparency the institute has adopted in disclosing details of the breach for all to learn from the constitute a model for all organizations to follow.
Also, with today’s enterprise environment being more mobile, trends show that consent phishing attacks are on the increase. Attackers are targeting remote workers and cloud services with permission seeking applications to gain access to valuable data rather than trying to steal the user credentials as seen in the attack on SANS Institute. Mitiget advises individuals and organizations to understand what data and permissions are being requested by applications. Key indicators of consent phishing like grammar and spelling mistakes in emails and app consent screens as well as spoofed domain names should be looked out for.