Breached in the SANS Institute

August 24, 2020
sans institute data breach spear-phishing email spearphishing malware antimalware antiphishing solutions

Recent news spread within the Cybersecurity community is about the data breach suffered by the SANS Institute. Being known for providing certification and training about network security, this only proves that everyone is susceptible to such malicious activity. According to SANS Institute, they have shared this incident for the community to be able to mitigate plans in case of an attack or possibly be able to avoid the intrusion from the threat actors given the evidence they have gathered on the things they have experienced. 

Based on the shared report, the intrusion started through a spearphishing email that was baited onto one of SANS employees. The email mimicry the company email network, and with its ingenuity of using salary increase as its subject, the victim was fallen to the perpetrators trap. In the process of opening the attached file where the malware is embedded, the victim was asked to provide permission to a specific app that is needed to open the attachment and then lastly to enter their 0ffice 365 credentials. Unknowingly, the app and the authentication page are already the domains controlled by the perpetrators. With the exploitation of the Open Authenticator process, the user can provide permission to a particular app to access information and another app on the compromised system. As perpetrators can infiltrate the user’s system, they were able to scan its files and email information using keyword matching that led to their client’s Personal Information Identifier be delivered to untraceable storage controlled by the hackers. Keywords that were used usually pertains to classified information and mostly about money transactions.  

This information has been submitted to VirusTotal for further collaboration of knowledge and information dissemination as SANS Institute had confirmed that other companies have also been targeted with the same modus operandi.  

As an institution that provides information about network security and through its experience, they released this news for the user and network administrator awareness.


SANS Institute provided instructions to customized Open Authentication app permission to avoid such intrusion and limit its access to the system.


For network administrators, it is to add on their routine maintenance to check systems for any unauthorized app installation that might be from any threat actors.  

Generally, they are discouraged from installing any app, especially those from untrusted sources, as these have a high chance of being exposed to malware and Spywares. If possible, limit users to install anything on the system, especially apps from the net. Then, proactively provide the latest news and awareness to all employees of recent threats to educate them to possibly stop the attack already from the front liner level. Everyone is expected to be vigilant and scrutinized information from the internet as perpetrators are always there to find ways through your network. 

About the author

Leave a Reply