We have published the IOCs associated with the phishing incident at @SANSInstitute sans.org/dataincident20… IOCs can be fond here: sans.org/blog/sans-data…

@robtlee @sansforensics @SANSInstitute It really takes a hell of a spine to be open about this kind of thing in our industry. Respect, y’all.

@robtlee @SANSInstitute Great response, thank you for being so open. Are you able to share any detail on what alerted you to the rule? I see the webcast overview says it was identified in "a systematic review of email configuration and rules” - did something trigger that review or was it just routine?

@robtlee @sansforensics @SANSInstitute Nice transparency. Thanks!

@robtlee @SANSInstitute I wonder @robtlee if SANS are considering implementing a DMARC policy on their domain based off this event? From what I've seen, the email spoofs the recipient domain, so quarantining or rejecting DMARC failures could have helped prevent the initial delivery...?

@robtlee @Ch33r10 @SANSInstitute is there an indication of email forwadring activity?

@robtlee @SANSInstitute Well done! Thank you all for being so open.

@robtlee @JHX_1138 @SANSInstitute Thanks for sharing!