VERY IMPORTANT

On Tuesday, August 11, 2020, SANS disclosed a security breach which was the result of a successful phishing campaign. As described in the disclosure found at https://www.sans.org/dataincident2020, the phishing email enticed a single user to install a malicious Office 365 add-in for their account. The O365 add-in caused a forwarding rule to be configured on the victim’s account, which resulted in 513 emails being forwarded to an unknown external email address. In this article, we are publishing specific details and indicators of compromise associated with this attack in the hope that it will help the community detect and respond to any similar attacks.